FC9 Compromised...

Fri Feb 27 22:35:49 UTC 2009

-- I yanked the drive and scanned it in a clean machine. Nothing found.

-- I'm reasonably sure the problem originated internally. (No further 
comment on this.)

-- Thanks

Sounds like a naughty user on the box....

Thomas E. Casartello, Jr.
Staff Assistant - Wireless Technician/Linux Administrator
Information Technology
Wilson 105A
Westfield State College

Red Hat Certified Technician (RHCT)

-----Original Message-----
From: fedora-list-bounces at redhat.com [mailto:fedora-list-bounces at redhat.com]
On Behalf Of Jack Lauman
Sent: Friday, February 27, 2009 5:07 PM
To: Community assistance, encouragement, and advice for using Fedora.
Subject: Re: FC9 Compromised...

I yanked the drive and scanned it in a clean machine. Nothing found.

I'm reasonably sure the problem originated internally. (No further 
comment on this.)

Thanks

Craig White wrote:
> On Fri, 2009-02-27 at 13:32 -0800, Jack Lauman wrote:
>> Craig White wrote:
>>
>>> the problem isn't Fedora 9, it's the person setting it up and
>>> maintaining it. These days, the most likely way someone would own a
>>> computer would be to connect via ssh using a brute force method but it
>>> could be something as simple as users who can get pop3 e-mail and also
>>> have shell access so capturing an unsecured login on pop3 will allow
>>> someone a local shell and when that happens, it's likely only a matter
>>> of time before they get root. SELinux is designed to limit the
>>> opportunities available when things like this happen.
>>>
>>> Seems to me if you have a number of boxes that were compromised, they
>>> probably all shared the same 'root' password and that was definitely
>>> hacked.
>> Disagree, if anyone used the root password they had to know what it 
>> was... 27 characters
> ----
> I'm going to let this pass...
> ----
>> It's probable that they got in through a pop3 account on one machine.
> ----
> and then broke the system with a key logger or some unpatched local
> exploit. It would stand to reason that they got your root password
> somehow if they got onto several boxes unless you used passwordless ssh
> keys between them.
> 
> Bad idea to allow users to access pop3 and have a valid shell and ssh
> access.
> ----
>>> You might parse /etc/passwd to see what account has uid = 0
>>>
>> It exists...
>>
>>> You should not have any of these machines connected to the Internet. You
>>> should be aware of the likelihood that these machines have keyloggers
>>> installed on them which will capture anything you type.
>>>
>> No rootkits found, no trojans or viruses found.
> ----
> I don't know that I would implicitly trust whatever you used to come to
> that conclusion.
> ----
>>> Yes, you need to get data off the system and completely re-install.
>>>
>>> Your question however is unclear. If you want to add 'root' back in,
>>> something like this should work...
>> Yes, I need to add root back in...
>>> useradd -u 0 -g 0 -h /root
>>> and then 'passwd root' to set the password
>> doesn't work... /etc/shadow is missing.
> ----
> Sort of screwed...time spent trying to make this system worked is likely
> wasted.
> 
> set up a computer with a large hard drive and get it working. Shut down
> and connect hard drive from this box and copy data files to the new hard
> drive. This may be a problem if you had hardware raid.
> 
> Craig
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.237 / Virus Database: 270.11.4/1976 - Release Date: 02/27/09
13:27:00
> 

-- 
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3169 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090227/13f8ee5e/attachment-0001.bin>