FC9 Compromised...

Craig White craigwhite at azapple.com
Fri Feb 27 21:47:35 UTC 2009 

On Fri, 2009-02-27 at 13:32 -0800, Jack Lauman wrote:
> 
> Craig White wrote:
> 
> > the problem isn't Fedora 9, it's the person setting it up and
> > maintaining it. These days, the most likely way someone would own a
> > computer would be to connect via ssh using a brute force method but it
> > could be something as simple as users who can get pop3 e-mail and also
> > have shell access so capturing an unsecured login on pop3 will allow
> > someone a local shell and when that happens, it's likely only a matter
> > of time before they get root. SELinux is designed to limit the
> > opportunities available when things like this happen.
> > 
> > Seems to me if you have a number of boxes that were compromised, they
> > probably all shared the same 'root' password and that was definitely
> > hacked.
> 
> Disagree, if anyone used the root password they had to know what it 
> was... 27 characters
----
I'm going to let this pass...
----
> It's probable that they got in through a pop3 account on one machine.
----
and then broke the system with a key logger or some unpatched local
exploit. It would stand to reason that they got your root password
somehow if they got onto several boxes unless you used passwordless ssh
keys between them.

Bad idea to allow users to access pop3 and have a valid shell and ssh
access.
----
> > 
> > You might parse /etc/passwd to see what account has uid = 0
> > 
> It exists...
> 
> > You should not have any of these machines connected to the Internet. You
> > should be aware of the likelihood that these machines have keyloggers
> > installed on them which will capture anything you type.
> > 
> No rootkits found, no trojans or viruses found.
----
I don't know that I would implicitly trust whatever you used to come to
that conclusion.
----
> > Yes, you need to get data off the system and completely re-install.
> > 
> > Your question however is unclear. If you want to add 'root' back in,
> > something like this should work...
> 
> Yes, I need to add root back in...
> > 
> > useradd -u 0 -g 0 -h /root
> > and then 'passwd root' to set the password
> doesn't work... /etc/shadow is missing.
----
Sort of screwed...time spent trying to make this system worked is likely
wasted.

set up a computer with a large hard drive and get it working. Shut down
and connect hard drive from this box and copy data files to the new hard
drive. This may be a problem if you had hardware raid.

Craig

More information about the fedora-list mailing list