Re: FC9 Compromised...

2009-02-28 Thread Michael Schwendt
On Fri, 27 Feb 2009 13:32:11 -0800, Jack wrote: > Disagree, if anyone used the root password they had to know what it > was... 27 characters > > It's probable that they got in through a pop3 account on one machine. On "one machine", but what about the other machines? Did they use the same root

Re: FC9 Compromised...

2009-02-27 Thread Aldo Foot
On Fri, Feb 27, 2009 at 3:32 PM, Patrick O'Callaghan wrote: > On Fri, 2009-02-27 at 14:08 -0800, Aldo Foot wrote: >> You could try booting with a LiveCD and use find to expose files >> created recently. > > No good. A rootkit could have changed the file creation time. True. But years ago, while g

Re: FC9 Compromised...

2009-02-27 Thread Patrick O'Callaghan
On Fri, 2009-02-27 at 14:08 -0800, Aldo Foot wrote: > You could try booting with a LiveCD and use find to expose files > created recently. No good. A rootkit could have changed the file creation time. Either run a hash check on all the binaries ("rpm -V" might be useful here, but of course the rpm

RE: FC9 Compromised...

2009-02-27 Thread Casartello, Thomas
tance, encouragement, and advice for using Fedora. Subject: Re: FC9 Compromised... I yanked the drive and scanned it in a clean machine. Nothing found. I'm reasonably sure the problem originated internally. (No further comment on this.) Thanks Craig White wrote: > On Fri, 2009-02-27 at 13:3

Re: FC9 Compromised...

2009-02-27 Thread Aldo Foot
On Fri, Feb 27, 2009 at 12:49 PM, Jack Lauman wrote: > On Feb 25, between 1753-2046 PST several of my Fedora Core 9 machines were > compromised. All had the latest patches applied. At this point I would not trust any system binaries such as commands or executable programs you don't recognize. You

Re: FC9 Compromised...

2009-02-27 Thread Jack Lauman
I yanked the drive and scanned it in a clean machine. Nothing found. I'm reasonably sure the problem originated internally. (No further comment on this.) Thanks Craig White wrote: On Fri, 2009-02-27 at 13:32 -0800, Jack Lauman wrote: Craig White wrote: the problem isn't Fedora 9, it's the

Re: FC9 Compromised...

2009-02-27 Thread Gordon Messmer
Jack Lauman wrote: Have any other incidents like this been reported lately? Not that I know of. What network services were running on these hosts, and what web applications? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-li

Re: FC9 Compromised...

2009-02-27 Thread Robert P. J. Day
On Fri, 27 Feb 2009, Christopher K. Johnson wrote: > Jack Lauman wrote: > > > > Yes, I need to add root back in... > Not necessarily. You would be safer to boot rescue from an installer > DVD, then choose to mount the filesystems for your compromised F9. > Shutdown each system, move it to a trust

Re: FC9 Compromised...

2009-02-27 Thread Kevin J. Cummings
Jack Lauman wrote: Craig White wrote: the problem isn't Fedora 9, it's the person setting it up and maintaining it. These days, the most likely way someone would own a computer would be to connect via ssh using a brute force method but it could be something as simple as users who can get pop3

Re: FC9 Compromised...

2009-02-27 Thread Craig White
On Fri, 2009-02-27 at 13:32 -0800, Jack Lauman wrote: > > Craig White wrote: > > > the problem isn't Fedora 9, it's the person setting it up and > > maintaining it. These days, the most likely way someone would own a > > computer would be to connect via ssh using a brute force method but it > > c

Re: FC9 Compromised...

2009-02-27 Thread Christopher K. Johnson
Jack Lauman wrote: Yes, I need to add root back in... Not necessarily. You would be safer to boot rescue from an installer DVD, then choose to mount the filesystems for your compromised F9. Shutdown each system, move it to a trusted network, or off-net and attach an external disk to save fi

Re: FC9 Compromised...

2009-02-27 Thread Jack Lauman
Craig White wrote: the problem isn't Fedora 9, it's the person setting it up and maintaining it. These days, the most likely way someone would own a computer would be to connect via ssh using a brute force method but it could be something as simple as users who can get pop3 e-mail and also hav

Re: FC9 Compromised...

2009-02-27 Thread Aaron Konstam
On Fri, 2009-02-27 at 12:49 -0800, Jack Lauman wrote: > On Feb 25, between 1753-2046 PST several of my Fedora Core 9 machines > were compromised. All had the latest patches applied. > > 1. Only the installed user accounts are on these machines. The root user > password is long with upper/lower c

Re: FC9 Compromised...

2009-02-27 Thread Craig White
On Fri, 2009-02-27 at 12:49 -0800, Jack Lauman wrote: > On Feb 25, between 1753-2046 PST several of my Fedora Core 9 machines > were compromised. All had the latest patches applied. > > 1. Only the installed user accounts are on these machines. The root user > password is long with upper/lower c

FC9 Compromised...

2009-02-27 Thread Jack Lauman
On Feb 25, between 1753-2046 PST several of my Fedora Core 9 machines were compromised. All had the latest patches applied. 1. Only the installed user accounts are on these machines. The root user password is long with upper/lower case characters with numerals & punctuation. It is unlikely thi