Machine compromised

[bhiksha]

Jason L Tibbitts III wrote:

>I'm not sure why you replied off-list; you lose the benefit of other
>insights into the discussion.
>
>  
>

Sorry, I didnt realize I'd done that. I just hit a "reply".
Im certainly getting a lot of useful advice from the group.

>>>>>>"b" == bhiksha  <bhiksha at merl.com> writes:
>>>>>>            
>>>>>>
>
>b> Im still curious about how an account called "backup" belonging to
>b> uid 0 came to be!
>
>I can say with absolute certainty that a hacker put it there, which
>means that they found some other way into your system.  Are you
>absolutely sure that you were keeping up with all of the security
>updates?  Did you have the firewall on?  Obviously you had at least
>one port open (22); there have been security issues in openssh
>although I don't recall that any of them were remotely exploitable.
>What other services were you running?
>
>b> I just hope the hackers are not taking advantage of some intrinsic
>b> hole in FC5.
>
>Rest assured that if there were a significant unpatched vulnerability,
>yours wouldn't be the only compromised machine.  But there are many
>available servers in Fedora, and there have been many security
>updates.  And of course there is plenty of software available outside
>of Fedora that could present security issues.
>
>  
>

I have iptables on. I also have a firewall box that only lets in ports 
22 and 80.
I left port 22 open to allow me to ssh in from outside, and I have tried 
to keep
abreast of the updates.
Im not sure what happened exactly, but Im taking the suggested 
precaution of simply
cleaning out the machine and reinstalling.

Thanks much
Bhiksha


> - J<
>  
>