-- I yanked the drive and scanned it in a clean machine. Nothing found. -- I'm reasonably sure the problem originated internally. (No further comment on this.) -- Thanks Sounds like a naughty user on the box.... Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -----Original Message----- From: fedora-list-bounces@xxxxxxxxxx [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Jack Lauman Sent: Friday, February 27, 2009 5:07 PM To: Community assistance, encouragement, and advice for using Fedora. Subject: Re: FC9 Compromised... I yanked the drive and scanned it in a clean machine. Nothing found. I'm reasonably sure the problem originated internally. (No further comment on this.) Thanks Craig White wrote: > On Fri, 2009-02-27 at 13:32 -0800, Jack Lauman wrote: >> Craig White wrote: >> >>> the problem isn't Fedora 9, it's the person setting it up and >>> maintaining it. These days, the most likely way someone would own a >>> computer would be to connect via ssh using a brute force method but it >>> could be something as simple as users who can get pop3 e-mail and also >>> have shell access so capturing an unsecured login on pop3 will allow >>> someone a local shell and when that happens, it's likely only a matter >>> of time before they get root. SELinux is designed to limit the >>> opportunities available when things like this happen. >>> >>> Seems to me if you have a number of boxes that were compromised, they >>> probably all shared the same 'root' password and that was definitely >>> hacked. >> Disagree, if anyone used the root password they had to know what it >> was... 27 characters > ---- > I'm going to let this pass... > ---- >> It's probable that they got in through a pop3 account on one machine. > ---- > and then broke the system with a key logger or some unpatched local > exploit. It would stand to reason that they got your root password > somehow if they got onto several boxes unless you used passwordless ssh > keys between them. > > Bad idea to allow users to access pop3 and have a valid shell and ssh > access. > ---- >>> You might parse /etc/passwd to see what account has uid = 0 >>> >> It exists... >> >>> You should not have any of these machines connected to the Internet. You >>> should be aware of the likelihood that these machines have keyloggers >>> installed on them which will capture anything you type. >>> >> No rootkits found, no trojans or viruses found. > ---- > I don't know that I would implicitly trust whatever you used to come to > that conclusion. > ---- >>> Yes, you need to get data off the system and completely re-install. >>> >>> Your question however is unclear. If you want to add 'root' back in, >>> something like this should work... >> Yes, I need to add root back in... >>> useradd -u 0 -g 0 -h /root >>> and then 'passwd root' to set the password >> doesn't work... /etc/shadow is missing. > ---- > Sort of screwed...time spent trying to make this system worked is likely > wasted. > > set up a computer with a large hard drive and get it working. Shut down > and connect hard drive from this box and copy data files to the new hard > drive. This may be a problem if you had hardware raid. > > Craig > > > > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.0.237 / Virus Database: 270.11.4/1976 - Release Date: 02/27/09 13:27:00 > -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
