Have I been hacked? Shadow file deleted

[Jose Luis Hime]

Here it is... I see that named opens the port 953, I do not believe this
could be an issue...

PORT     STATE SERVICE
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
953/tcp  open  rndc
993/tcp  open  imaps
995/tcp  open  pop3s


________________________________________
From: fedora-list-bounces at redhat.com [mailto:fedora-list-bounces at redhat.com]
On Behalf Of Marc M
Sent: Friday, September 09, 2005 11:16 AM
To: For users of Fedora Core releases
Subject: Re: Have I been hacked? Shadow file deleted

What about nmap, maybe it could at least give you a port to investigate

nmap -p 1-65535 localhost

Marc


On 9/9/05, Jose Luis Hime <jhime at synchro.com.br> wrote:

chkrootkit and rkhunter do not report any problem.

I am still with this issue, any hints?

Thanks,
J. Hime
________________________________________
From: fedora-list-bounces at redhat.com [mailto:fedora-list-bounces at redhat.com]
On Behalf Of Marc M
Sent: Thursday, September 08, 2005 5:00 PM
To: For users of Fedora Core releases 
Subject: Re: Have I been hacked? Shadow file deleted

Try running chkrootkit and rkhunter
On 9/8/05, STYMA, ROBERT E (ROBERT) <stymar at lucent.com> wrote:
>
> Hello,
>
> I installed a new server on Tuesday using Fedora Core 4 and
> today the shadow
> file was deleted three times. Since nothing was being done on
> the box at
> those times, I believe I was hacked. 
>
Since it is a new install, I would look into running the
badblocks command just to be safe.There is always the chance
something is wrong with the disk where the inode for the shadow
file is stored.This is a long shot, but easy to do.

Bob Styma

--
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list



--
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list