The answers are below, quoted with "==>". I think the best choice is to re-install the box, since I cannot see anything bad in the logs. -----Original Message----- From: fedora-list-bounces@xxxxxxxxxx [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Michael Yep Sent: Friday, September 09, 2005 3:07 PM To: For users of Fedora Core releases Subject: Re: Have I been hacked? Shadow file deleted What type of an install did you do? Full? ==> No, custom install with the minimum software required: dovecot, sendmail etc. Did you do yum updates? ==> Yes, the system is up-to-date, but it was exposed to internet for 8 hours before I updated it with yum Do you run tripwire, or any other auditing tools? ==> No, it was na error! I will do that next time! Is the machine wide open to the net? ==> Yes, and I use iptables as firewall Do you have the firewall turned on? ==> Yes, see above. See anything unusual in any logs, last, who, uptime, lsof, netstat ? ==> No, thatá what is driving me crazy. The logs tell me that One box tried to use my sshd twice, and its connection was refused. Since then, I disabled sshd. you can also do something like this [root@localhost ~]# cat trip MHFILE=$HOSTNAME-`date +%Y%m%d-%H%M%S`.md5 SHFILE=$HOSTNAME-`date +%Y%m%d-%H%M%S`.sha1 ZFILE=$HOSTNAME-`date +%Y%m%d-%H%M%S`.zip FLIST=flist-`date +%Y%m%d-%H%M%S` /bin/echo "1/4 Building file list . . ." /usr/bin/find /bin /boot /etc /lib /misc /mnt /net /opt /root /sbin /srv /usr /var -type f > /root/$FLIST /bin/echo "2/4 MD5 Hashing . . ." /bin/cat /root/$FLIST | /usr/bin/xargs /usr/bin/md5sum > /root/$MHFILE /bin/echo "3/4 SHA1 Hashing . . ." /bin/cat /root/$FLIST | /usr/bin/xargs /usr/bin/sha1sum > /root/$SHFILE /bin/echo "4/4 Zipping . . ." /usr/bin/zip /root/$ZFILE $MHFILE $SHFILE $FLIST /bin/rm $MHFILE $SHFILE $FLIST /bin/echo "Done" to create hash sets of a clean installed system then when you suspect a problem you can see what files have been added, removed or changed milvertito wrote: >if you're in doubt, re install everything from scratch, it makes a big >difference > > >-----Original Message----- >From: fedora-list-bounces@xxxxxxxxxx [mailto:fedora-list-bounces@xxxxxxxxxx] >On Behalf Of Scot L. Harris >Sent: Friday, September 09, 2005 4:11 PM >To: 'For users of Fedora Core releases' >Subject: RE: Have I been hacked? Shadow file deleted > >On Fri, 2005-09-09 at 10:57, Jose Luis Hime wrote: > > >>Only I have the root password, that I change every time the shadow >>file is deleted. The passwd file is ok, also. >> >>The shadow has the following permissions: >> -r-------- 1 root root 8233 Sep 9 10:01 shadow >> >>No crontab, at or other scheduled jobs. >> >>No suspect process in "ps". >> >>So... the last resort is really to re-install my box. >> >>Can I use the "update" method to fix any problems without destroying >>my installation? It took me 3 days to complete it! >> >>Thanks in any way! >> >> > >Are you running anything like phpbb or postnuke or similar type packages? >These have had many exploits in the past. You would need to make sure you >have these fully patched or don't run them. > >If you think the system has actually been compromised you don't really have >any choice but to do a bare metal install. > >Have you tried disconnecting the system from the network to see if the >shadow file continues to disappear? That might isolate the problem to >something running on the system vs. someone doing it from outside the >system. > >But if you think the system is compromised your only choice it so reinstall. > > >-- >fedora-list mailing list >fedora-list@xxxxxxxxxx >To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list > > > > > -- Michael Yep Development / Technical Operations RemoteLink, Inc. (630) 983-0072 x164 -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
