[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: FC9 Compromised...
- From: Aaron Konstam <akonstam sbcglobal net>
- To: "Community assistance, encouragement, and advice for using Fedora." <fedora-list redhat com>
- Subject: Re: FC9 Compromised...
- Date: Fri, 27 Feb 2009 15:25:45 -0600
On Fri, 2009-02-27 at 12:49 -0800, Jack Lauman wrote:
> On Feb 25, between 1753-2046 PST several of my Fedora Core 9 machines
> were compromised. All had the latest patches applied.
>
> 1. Only the installed user accounts are on these machines. The root user
> password is long with upper/lower case characters with numerals &
> punctuation. It is unlikely this was cracked.
>
> 2. All log files were deleted.
>
> 3. The following users were deleted 'root':
> mysql
> apache
> sshd
> dbus
> haldaemon
> dovecot
> gdm
> smmsp
>
> 4. The machine can only be accessed in 'single user' mode. Using
> 'passwd' to reset the root password fails with: "passwd: User not known
> to the underlying authentication module."
I would edit /etc/passwd and /etc/group to restore root entries . Give
root no passwd. Then login as root go to user level 3 and change the
root passwd to whatever you want.
>
> Any help on resolving this would be appreciated. I need to get data off
> these before re-installation.
>
> Have any other incidents like this been reported lately?
>
> Thanks,
>
> Jack
>
--
=======================================================================
Don't I know you?
=======================================================================
Aaron Konstam telephone: (210) 656-0355 e-mail: akonstam sbcglobal net
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]