[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Have I been hacked? Shadow file deleted

The answers are below, quoted with "==>". I think the best choice is to
re-install the box, since I cannot see anything bad in the logs.

-----Original Message-----
From: fedora-list-bounces redhat com [mailto:fedora-list-bounces redhat com]
On Behalf Of Michael Yep
Sent: Friday, September 09, 2005 3:07 PM
To: For users of Fedora Core releases
Subject: Re: Have I been hacked? Shadow file deleted

What type of an install did you do?  Full?  
==>	No, custom install with the minimum software required: dovecot,
	sendmail etc.
Did you do yum updates?
==>	Yes, the system is up-to-date, but it was exposed to internet for 8 
	hours before I updated it with yum
Do you run tripwire, or any other auditing tools? 
==>	No, it was na error! I will do that next time!
Is the machine wide open to the net?
==>	Yes, and I use iptables as firewall
Do you have the firewall turned on?
==>	Yes, see above.
See anything unusual in any logs, last, who, uptime, lsof, netstat ?
==>	No, thatá what is driving me crazy. The logs tell me that 
	One box tried to use my sshd twice, and its connection was refused.
	Since then, I disabled sshd.

you can also do something like this
[root localhost ~]# cat trip
MHFILE=$HOSTNAME-`date +%Y%m%d-%H%M%S`.md5
SHFILE=$HOSTNAME-`date +%Y%m%d-%H%M%S`.sha1
ZFILE=$HOSTNAME-`date +%Y%m%d-%H%M%S`.zip
FLIST=flist-`date +%Y%m%d-%H%M%S`
/bin/echo "1/4 Building file list . . ."
/usr/bin/find /bin /boot /etc /lib /misc /mnt /net /opt /root /sbin /srv 
/usr /var -type f > /root/$FLIST
/bin/echo "2/4 MD5 Hashing . . ."
/bin/cat /root/$FLIST | /usr/bin/xargs /usr/bin/md5sum > /root/$MHFILE
/bin/echo "3/4 SHA1 Hashing . . ."
/bin/cat /root/$FLIST | /usr/bin/xargs /usr/bin/sha1sum > /root/$SHFILE
/bin/echo "4/4 Zipping . . ."
/usr/bin/zip /root/$ZFILE $MHFILE $SHFILE $FLIST
/bin/echo "Done"

to create hash sets of a clean installed system
then when you suspect a problem you can see what files have been added, 
removed or changed

milvertito wrote:

>if you're in doubt, re install everything from scratch, it makes a big
>-----Original Message-----
>From: fedora-list-bounces redhat com
[mailto:fedora-list-bounces redhat com]
>On Behalf Of Scot L. Harris
>Sent: Friday, September 09, 2005 4:11 PM
>To: 'For users of Fedora Core releases'
>Subject: RE: Have I been hacked? Shadow file deleted
>On Fri, 2005-09-09 at 10:57, Jose Luis Hime wrote:
>>Only I have the root password, that I change every time the shadow 
>>file is deleted. The passwd file is ok, also.
>>The shadow has the following permissions:
>>	-r--------  1 root root 8233 Sep  9 10:01 shadow
>>No crontab, at or other scheduled jobs.
>>No suspect process in "ps".
>>So... the last resort is really to re-install my box.
>>Can I use the "update" method to fix any problems without destroying 
>>my installation? It took me 3 days to complete it!
>>Thanks in any way!
>Are you running anything like phpbb or postnuke or similar type packages?
>These have had many exploits in the past.  You would need to make sure you
>have these fully patched or don't run them.
>If you think the system has actually been compromised you don't really have
>any choice but to do a bare metal install.
>Have you tried disconnecting the system from the network to see if the
>shadow file continues to disappear?  That might isolate the problem to
>something running on the system vs. someone doing it from outside the
>But if you think the system is compromised your only choice it so
>fedora-list mailing list
>fedora-list redhat com
>To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

Michael Yep
Development / Technical Operations
RemoteLink, Inc.
(630) 983-0072 x164 

fedora-list mailing list
fedora-list redhat com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]