FC9 Compromised...

Fri Feb 27 21:49:13 UTC 2009

Jack Lauman wrote:
> 
> 
> Craig White wrote:
> 
>> the problem isn't Fedora 9, it's the person setting it up and
>> maintaining it. These days, the most likely way someone would own a
>> computer would be to connect via ssh using a brute force method but it
>> could be something as simple as users who can get pop3 e-mail and also
>> have shell access so capturing an unsecured login on pop3 will allow
>> someone a local shell and when that happens, it's likely only a matter
>> of time before they get root. SELinux is designed to limit the
>> opportunities available when things like this happen.
>>
>> Seems to me if you have a number of boxes that were compromised, they
>> probably all shared the same 'root' password and that was definitely
>> hacked.
> 
> Disagree, if anyone used the root password they had to know what it 
> was... 27 characters
> 
> It's probable that they got in through a pop3 account on one machine.

Regardless of how it happened, it happened.  You shouldn't point any 
fingers until you do a complete analysis and figure out how it happened.
Don't rule anything out before your analysis.

>> You might parse /etc/passwd to see what account has uid = 0
>>
> It exists...

Is there a user with UID == 0?
If so, spend particular time checking this user's /home directory!

>> You should not have any of these machines connected to the Internet. You
>> should be aware of the likelihood that these machines have keyloggers
>> installed on them which will capture anything you type.
>>
> No rootkits found, no trojans or viruses found.

How did you check?  I hope you didn't use *any* of the software on the 
infected machines, did you?  How do you know it hasn't been modified?

You should only access the machines by booting them from a rescue disk. 
  Don't trust *anything* on you compromised machines until you are able 
to verify it is OK.

Get your data off via the rescue disk boot, them completely wipe and 
re-install you compromised machines.  Then completely test your copied 
data to make sure *it* hasn't been compromised as well....

>> Yes, you need to get data off the system and completely re-install.
>>
>> Your question however is unclear. If you want to add 'root' back in,
>> something like this should work...
> 
> Yes, I need to add root back in...
>>
>> useradd -u 0 -g 0 -h /root
>> and then 'passwd root' to set the password
> doesn't work... /etc/shadow is missing.

Use a rescue disk, them re-install from scratch.  (Don't forget to 
reformat your disk partitions to ensure you've removed any possible 
leftovers from the compromise....) If you try and fix your machines by 
hand, you'll probably keep running into things that are "broken" and if 
you don't know how to fix each one, it'll be easier just to re-install.

Good luck!

-- 
Kevin J. Cummings
kjchome at rcn.com
cummings at kjchome.homeip.net
cummings at kjc386.framingham.ma.us
Registered Linux User #1232 (http://counter.li.org)