[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: FC9 Compromised...

I yanked the drive and scanned it in a clean machine. Nothing found.

I'm reasonably sure the problem originated internally. (No further comment on this.)


Craig White wrote:
On Fri, 2009-02-27 at 13:32 -0800, Jack Lauman wrote:
Craig White wrote:

the problem isn't Fedora 9, it's the person setting it up and
maintaining it. These days, the most likely way someone would own a
computer would be to connect via ssh using a brute force method but it
could be something as simple as users who can get pop3 e-mail and also
have shell access so capturing an unsecured login on pop3 will allow
someone a local shell and when that happens, it's likely only a matter
of time before they get root. SELinux is designed to limit the
opportunities available when things like this happen.

Seems to me if you have a number of boxes that were compromised, they
probably all shared the same 'root' password and that was definitely
Disagree, if anyone used the root password they had to know what it was... 27 characters
I'm going to let this pass...
It's probable that they got in through a pop3 account on one machine.
and then broke the system with a key logger or some unpatched local
exploit. It would stand to reason that they got your root password
somehow if they got onto several boxes unless you used passwordless ssh
keys between them.

Bad idea to allow users to access pop3 and have a valid shell and ssh
You might parse /etc/passwd to see what account has uid = 0

It exists...

You should not have any of these machines connected to the Internet. You
should be aware of the likelihood that these machines have keyloggers
installed on them which will capture anything you type.

No rootkits found, no trojans or viruses found.
I don't know that I would implicitly trust whatever you used to come to
that conclusion.
Yes, you need to get data off the system and completely re-install.

Your question however is unclear. If you want to add 'root' back in,
something like this should work...
Yes, I need to add root back in...
useradd -u 0 -g 0 -h /root
and then 'passwd root' to set the password
doesn't work... /etc/shadow is missing.
Sort of screwed...time spent trying to make this system worked is likely

set up a computer with a large hard drive and get it working. Shut down
and connect hard drive from this box and copy data files to the new hard
drive. This may be a problem if you had hardware raid.



No virus found in this incoming message.
Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.4/1976 - Release Date: 02/27/09 13:27:00

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]