Have I been hacked? Shadow file deleted
Jose Luis Hime
jhime at synchro.com.br
Fri Sep 9 14:57:31 UTC 2005
Only I have the root password, that I change every time the shadow file is
deleted. The passwd file is ok, also.
The shadow has the following permissions:
-r-------- 1 root root 8233 Sep 9 10:01 shadow
No crontab, at or other scheduled jobs.
No suspect process in "ps".
So... the last resort is really to re-install my box.
Can I use the "update" method to fix any problems without destroying my
installation? It took me 3 days to complete it!
Thanks in any way!
-----Original Message-----
From: fedora-list-bounces at redhat.com [mailto:fedora-list-bounces at redhat.com]
On Behalf Of Scot L. Harris
Sent: Friday, September 09, 2005 11:22 AM
To: Fedora List
Subject: RE: Have I been hacked? Shadow file deleted
On Fri, 2005-09-09 at 10:06, Jose Luis Hime wrote:
> chkrootkit and rkhunter do not report any problem.
>
> I am still with this issue, any hints?
>
How many people have access to root? Assume you have changed the root
password as well as checked the /etc/passwd and /etc/shadow files for
any odd entries.
What permissions does the /etc/shadow file have?
You should also check all cron jobs to see if someone set something up
there.
Last resort is to do a complete bare metal install again and keep root
password to yourself.
--
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
More information about the fedora-list
mailing list