On Fri, 2009-02-27 at 12:49 -0800, Jack Lauman wrote: > On Feb 25, between 1753-2046 PST several of my Fedora Core 9 machines > were compromised. All had the latest patches applied. > > 1. Only the installed user accounts are on these machines. The root user > password is long with upper/lower case characters with numerals & > punctuation. It is unlikely this was cracked. > > 2. All log files were deleted. > > 3. The following users were deleted 'root': > mysql > apache > sshd > dbus > haldaemon > dovecot > gdm > smmsp > > 4. The machine can only be accessed in 'single user' mode. Using > 'passwd' to reset the root password fails with: "passwd: User not known > to the underlying authentication module." I would edit /etc/passwd and /etc/group to restore root entries . Give root no passwd. Then login as root go to user level 3 and change the root passwd to whatever you want. > > Any help on resolving this would be appreciated. I need to get data off > these before re-installation. > > Have any other incidents like this been reported lately? > > Thanks, > > Jack > -- ======================================================================= Don't I know you? ======================================================================= Aaron Konstam telephone: (210) 656-0355 e-mail: akonstam@xxxxxxxxxxxxx -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
