On Fri, 2009-02-27 at 12:49 -0800, Jack Lauman wrote: > On Feb 25, between 1753-2046 PST several of my Fedora Core 9 machines > were compromised. All had the latest patches applied. > > 1. Only the installed user accounts are on these machines. The root user > password is long with upper/lower case characters with numerals & > punctuation. It is unlikely this was cracked. > > 2. All log files were deleted. > > 3. The following users were deleted 'root': > mysql > apache > sshd > dbus > haldaemon > dovecot > gdm > smmsp > > 4. The machine can only be accessed in 'single user' mode. Using > 'passwd' to reset the root password fails with: "passwd: User not known > to the underlying authentication module." > > Any help on resolving this would be appreciated. I need to get data off > these before re-installation. > > Have any other incidents like this been reported lately? ---- the problem isn't Fedora 9, it's the person setting it up and maintaining it. These days, the most likely way someone would own a computer would be to connect via ssh using a brute force method but it could be something as simple as users who can get pop3 e-mail and also have shell access so capturing an unsecured login on pop3 will allow someone a local shell and when that happens, it's likely only a matter of time before they get root. SELinux is designed to limit the opportunities available when things like this happen. Seems to me if you have a number of boxes that were compromised, they probably all shared the same 'root' password and that was definitely hacked. You might parse /etc/passwd to see what account has uid = 0 You should not have any of these machines connected to the Internet. You should be aware of the likelihood that these machines have keyloggers installed on them which will capture anything you type. Yes, you need to get data off the system and completely re-install. Your question however is unclear. If you want to add 'root' back in, something like this should work... useradd -u 0 -g 0 -h /root and then 'passwd root' to set the password Craig -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines