RE: FC9 Compromised...

-- I yanked the drive and scanned it in a clean machine. Nothing found.

-- I'm reasonably sure the problem originated internally. (No further
comment on this.)

-- Thanks

Sounds like a naughty user on the box....

Thomas E. Casartello, Jr.
Staff Assistant - Wireless Technician/Linux Administrator
Information Technology
Wilson 105A
Westfield State College

Red Hat Certified Technician (RHCT)

-----Original Message-----
From: fedora-list-bounces@xxxxxxxxxx [mailto:fedora-list-bounces@xxxxxxxxxx]
On Behalf Of Jack Lauman
Sent: Friday, February 27, 2009 5:07 PM
To: Community assistance, encouragement, and advice for using Fedora.
Subject: Re: FC9 Compromised...

I yanked the drive and scanned it in a clean machine. Nothing found.

I'm reasonably sure the problem originated internally. (No further
comment on this.)

Thanks

Craig White wrote:
On Fri, 2009-02-27 at 13:32 -0800, Jack Lauman wrote:
Craig White wrote:

the problem isn't Fedora 9, it's the person setting it up and
maintaining it. These days, the most likely way someone would own a
computer would be to connect via ssh using a brute force method but it
could be something as simple as users who can get pop3 e-mail and also
have shell access so capturing an unsecured login on pop3 will allow
someone a local shell and when that happens, it's likely only a matter
of time before they get root. SELinux is designed to limit the
opportunities available when things like this happen.

Seems to me if you have a number of boxes that were compromised, they
probably all shared the same 'root' password and that was definitely
hacked.
Disagree, if anyone used the root password they had to know what it
was... 27 characters
----
I'm going to let this pass...
----
It's probable that they got in through a pop3 account on one machine.
----
and then broke the system with a key logger or some unpatched local
exploit. It would stand to reason that they got your root password
somehow if they got onto several boxes unless you used passwordless ssh
keys between them.

Bad idea to allow users to access pop3 and have a valid shell and ssh
access.
----
You might parse /etc/passwd to see what account has uid = 0

It exists...

You should not have any of these machines connected to the Internet. You
should be aware of the likelihood that these machines have keyloggers
installed on them which will capture anything you type.

No rootkits found, no trojans or viruses found.
----
I don't know that I would implicitly trust whatever you used to come to
that conclusion.
----
Yes, you need to get data off the system and completely re-install.

Your question however is unclear. If you want to add 'root' back in,
something like this should work...
Yes, I need to add root back in...
useradd -u 0 -g 0 -h /root
and then 'passwd root' to set the password
doesn't work... /etc/shadow is missing.
----
Sort of screwed...time spent trying to make this system worked is likely
wasted.

set up a computer with a large hard drive and get it working. Shut down
and connect hard drive from this box and copy data files to the new hard
drive. This may be a problem if you had hardware raid.

Craig



------------------------------------------------------------------------


No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.237 / Virus Database: 270.11.4/1976 - Release Date: 02/27/09
13:27:00


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Attachment: smime.p7s
Description: S/MIME cryptographic signature

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Relevant Pages

  • Re: Problem with Java Desktop on Solaris 10
    ... sulogin will start a sh shell for root if the ... best practice. ... Unless they have a compelling reason, ...
    (comp.unix.solaris)
  • Re: [SLE] changing the roots shell
    ... > Is there some strong reason to do that? ... what is the real problem ... I can't see any problem in using another shell. ... > I change to root only as need, to do administrative tasks, and as root, I like ...
    (SuSE)
  • Re: FC9 Compromised...
    ... I yanked the drive and scanned it in a clean machine. ... someone a local shell and when that happens, ... of time before they get root. ... It would stand to reason that they got your root password ...
    (Fedora)
  • Re: comp.unix.shell FAQ take three
    ... >> Unless you have a very good reason to do so, ... >> The default shell for root is one which will work in single user ... when only the root partition is mounted. ...
    (comp.unix.shell)
  • Re: hi all..
    ... and someone gets access your shell account, ... Only root can install an su binary. ... Of course, if I have sudo ...
    (Fedora)
Loading