Have I been hacked? Shadow file deleted
Michael Yep
myep at remotelink.com
Fri Sep 9 18:07:17 UTC 2005
What type of an install did you do? Full?
Did you do yum updates?
Do you run tripwire, or any other auditing tools?
Is the machine wide open to the net?
Do you have the firewall turned on?
See anything unusual in any logs, last, who, uptime, lsof, netstat ?
you can also do something like this
[root at localhost ~]# cat trip
MHFILE=$HOSTNAME-`date +%Y%m%d-%H%M%S`.md5
SHFILE=$HOSTNAME-`date +%Y%m%d-%H%M%S`.sha1
ZFILE=$HOSTNAME-`date +%Y%m%d-%H%M%S`.zip
FLIST=flist-`date +%Y%m%d-%H%M%S`
/bin/echo "1/4 Building file list . . ."
/usr/bin/find /bin /boot /etc /lib /misc /mnt /net /opt /root /sbin /srv
/usr /var -type f > /root/$FLIST
/bin/echo "2/4 MD5 Hashing . . ."
/bin/cat /root/$FLIST | /usr/bin/xargs /usr/bin/md5sum > /root/$MHFILE
/bin/echo "3/4 SHA1 Hashing . . ."
/bin/cat /root/$FLIST | /usr/bin/xargs /usr/bin/sha1sum > /root/$SHFILE
/bin/echo "4/4 Zipping . . ."
/usr/bin/zip /root/$ZFILE $MHFILE $SHFILE $FLIST
/bin/rm $MHFILE $SHFILE $FLIST
/bin/echo "Done"
to create hash sets of a clean installed system
then when you suspect a problem you can see what files have been added,
removed or changed
milvertito wrote:
>if you're in doubt, re install everything from scratch, it makes a big
>difference
>
>
>-----Original Message-----
>From: fedora-list-bounces at redhat.com [mailto:fedora-list-bounces at redhat.com]
>On Behalf Of Scot L. Harris
>Sent: Friday, September 09, 2005 4:11 PM
>To: 'For users of Fedora Core releases'
>Subject: RE: Have I been hacked? Shadow file deleted
>
>On Fri, 2005-09-09 at 10:57, Jose Luis Hime wrote:
>
>
>>Only I have the root password, that I change every time the shadow
>>file is deleted. The passwd file is ok, also.
>>
>>The shadow has the following permissions:
>> -r-------- 1 root root 8233 Sep 9 10:01 shadow
>>
>>No crontab, at or other scheduled jobs.
>>
>>No suspect process in "ps".
>>
>>So... the last resort is really to re-install my box.
>>
>>Can I use the "update" method to fix any problems without destroying
>>my installation? It took me 3 days to complete it!
>>
>>Thanks in any way!
>>
>>
>
>Are you running anything like phpbb or postnuke or similar type packages?
>These have had many exploits in the past. You would need to make sure you
>have these fully patched or don't run them.
>
>If you think the system has actually been compromised you don't really have
>any choice but to do a bare metal install.
>
>Have you tried disconnecting the system from the network to see if the
>shadow file continues to disappear? That might isolate the problem to
>something running on the system vs. someone doing it from outside the
>system.
>
>But if you think the system is compromised your only choice it so reinstall.
>
>
>--
>fedora-list mailing list
>fedora-list at redhat.com
>To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
>
>
>
>
--
Michael Yep
Development / Technical Operations
RemoteLink, Inc.
(630) 983-0072 x164
More information about the fedora-list
mailing list