FC9 Compromised...

Jack Lauman jlauman at nwcascades.com
Fri Feb 27 21:32:11 UTC 2009



Craig White wrote:

> the problem isn't Fedora 9, it's the person setting it up and
> maintaining it. These days, the most likely way someone would own a
> computer would be to connect via ssh using a brute force method but it
> could be something as simple as users who can get pop3 e-mail and also
> have shell access so capturing an unsecured login on pop3 will allow
> someone a local shell and when that happens, it's likely only a matter
> of time before they get root. SELinux is designed to limit the
> opportunities available when things like this happen.
> 
> Seems to me if you have a number of boxes that were compromised, they
> probably all shared the same 'root' password and that was definitely
> hacked.

Disagree, if anyone used the root password they had to know what it 
was... 27 characters

It's probable that they got in through a pop3 account on one machine.
> 
> You might parse /etc/passwd to see what account has uid = 0
> 
It exists...

> You should not have any of these machines connected to the Internet. You
> should be aware of the likelihood that these machines have keyloggers
> installed on them which will capture anything you type.
> 
No rootkits found, no trojans or viruses found.

> Yes, you need to get data off the system and completely re-install.
> 
> Your question however is unclear. If you want to add 'root' back in,
> something like this should work...

Yes, I need to add root back in...
> 
> useradd -u 0 -g 0 -h /root
> and then 'passwd root' to set the password
doesn't work... /etc/shadow is missing.

> 
> Craig
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.237 / Virus Database: 270.11.4/1976 - Release Date: 02/27/09 13:27:00
> 




More information about the fedora-list mailing list