FC9 Compromised...

Fri Feb 27 22:06:32 UTC 2009

I yanked the drive and scanned it in a clean machine. Nothing found.

I'm reasonably sure the problem originated internally. (No further 
comment on this.)

Thanks

Craig White wrote:
> On Fri, 2009-02-27 at 13:32 -0800, Jack Lauman wrote:
>> Craig White wrote:
>>
>>> the problem isn't Fedora 9, it's the person setting it up and
>>> maintaining it. These days, the most likely way someone would own a
>>> computer would be to connect via ssh using a brute force method but it
>>> could be something as simple as users who can get pop3 e-mail and also
>>> have shell access so capturing an unsecured login on pop3 will allow
>>> someone a local shell and when that happens, it's likely only a matter
>>> of time before they get root. SELinux is designed to limit the
>>> opportunities available when things like this happen.
>>>
>>> Seems to me if you have a number of boxes that were compromised, they
>>> probably all shared the same 'root' password and that was definitely
>>> hacked.
>> Disagree, if anyone used the root password they had to know what it 
>> was... 27 characters
> ----
> I'm going to let this pass...
> ----
>> It's probable that they got in through a pop3 account on one machine.
> ----
> and then broke the system with a key logger or some unpatched local
> exploit. It would stand to reason that they got your root password
> somehow if they got onto several boxes unless you used passwordless ssh
> keys between them.
> 
> Bad idea to allow users to access pop3 and have a valid shell and ssh
> access.
> ----
>>> You might parse /etc/passwd to see what account has uid = 0
>>>
>> It exists...
>>
>>> You should not have any of these machines connected to the Internet. You
>>> should be aware of the likelihood that these machines have keyloggers
>>> installed on them which will capture anything you type.
>>>
>> No rootkits found, no trojans or viruses found.
> ----
> I don't know that I would implicitly trust whatever you used to come to
> that conclusion.
> ----
>>> Yes, you need to get data off the system and completely re-install.
>>>
>>> Your question however is unclear. If you want to add 'root' back in,
>>> something like this should work...
>> Yes, I need to add root back in...
>>> useradd -u 0 -g 0 -h /root
>>> and then 'passwd root' to set the password
>> doesn't work... /etc/shadow is missing.
> ----
> Sort of screwed...time spent trying to make this system worked is likely
> wasted.
> 
> set up a computer with a large hard drive and get it working. Shut down
> and connect hard drive from this box and copy data files to the new hard
> drive. This may be a problem if you had hardware raid.
> 
> Craig
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.237 / Virus Database: 270.11.4/1976 - Release Date: 02/27/09 13:27:00
> 