FC9 Compromised...
Jack Lauman
jlauman at nwcascades.com
Fri Feb 27 21:32:11 UTC 2009
Craig White wrote:
> the problem isn't Fedora 9, it's the person setting it up and
> maintaining it. These days, the most likely way someone would own a
> computer would be to connect via ssh using a brute force method but it
> could be something as simple as users who can get pop3 e-mail and also
> have shell access so capturing an unsecured login on pop3 will allow
> someone a local shell and when that happens, it's likely only a matter
> of time before they get root. SELinux is designed to limit the
> opportunities available when things like this happen.
>
> Seems to me if you have a number of boxes that were compromised, they
> probably all shared the same 'root' password and that was definitely
> hacked.
Disagree, if anyone used the root password they had to know what it
was... 27 characters
It's probable that they got in through a pop3 account on one machine.
>
> You might parse /etc/passwd to see what account has uid = 0
>
It exists...
> You should not have any of these machines connected to the Internet. You
> should be aware of the likelihood that these machines have keyloggers
> installed on them which will capture anything you type.
>
No rootkits found, no trojans or viruses found.
> Yes, you need to get data off the system and completely re-install.
>
> Your question however is unclear. If you want to add 'root' back in,
> something like this should work...
Yes, I need to add root back in...
>
> useradd -u 0 -g 0 -h /root
> and then 'passwd root' to set the password
doesn't work... /etc/shadow is missing.
>
> Craig
>
>
>
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.0.237 / Virus Database: 270.11.4/1976 - Release Date: 02/27/09 13:27:00
>
More information about the fedora-list
mailing list