Have I been hacked? Shadow file deleted

Jose Luis Hime jhime at synchro.com.br
Thu Sep 8 19:45:11 UTC 2005 

Hello,

I installed a new server on Tuesday using Fedora Core 4 and today the shadow
file was deleted three times. Since nothing was being done on the box at
those times, I believe I was hacked.

I am using the new Fedora Core 4 and I have the following services running:
   - named    (from Fedora installation)
   - dovecot  (from Fedora installation) (for imap/pop3)
   - sendmail (from Fedora installation)
     - clamav (an anti-virus that I have been using for more than 1 year 
               without problems) (the latest version from the vendor)
   - sshd     (from Fedora installation)
   - apache   (version 2, the latest version from apache site)
     - php5   (the latest version from the site)
   - mySQL    (the latest version from the site, listening only at the
               local port)

I WAS using mDNSResponder, but I have uninstalled it after the problems.
Since then, the server is stable (for how long?).

The output of a 'netstat -anp' command is at the end of this e-mail.

So, does someone of you know about any exploit that I must be aware of? I do
not know how to get around this problem!

Thanks in advance,
J. Hime

===================================================================
tcp   0   0 127.0.0.1:3306      0.0.0.0:*    LISTEN      2302/mysqld
tcp   0   0 xxx.xxx.xx.xxx:53   0.0.0.0:*    LISTEN      1926/named
tcp   0   0 127.0.0.1:53        0.0.0.0:*    LISTEN      1926/named
tcp   0   0 xxx.xxx.xx.xxx:22   0.0.0.0:*    LISTEN      3519/sshd
tcp   0   0 0.0.0.0:25          0.0.0.0:*    LISTEN      2375/sendmail: acce
tcp   0   0 127.0.0.1:953       0.0.0.0:*    LISTEN      1926/named
tcp   0   0 :::993              :::*         LISTEN      2336/dovecot
tcp   0   0 :::995              :::*         LISTEN      2336/dovecot
tcp   0   0 :::110              :::*         LISTEN      2336/dovecot
tcp   0   0 :::143              :::*         LISTEN      2336/dovecot
tcp   0   0 :::80               :::*         LISTEN      2398/httpd
tcp   0   0 ::1:953             :::*         LISTEN      1926/named
tcp   0   0 :::443              :::*         LISTEN      2398/httpd

unix 2 [ ACC ] STREAM LISTENING 7238 2449/dbus-daemon
/var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 6930 2344/clamd   clamav/clamd.sock
unix 2 [ ACC ] STREAM LISTENING 6996 2355/clamav-milter  clmilter.sock
unix 2 [ ACC ] STREAM LISTENING 6824 2302/mysqld  /var/lib/mysql/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 6934 2336/dovecot
/var/run/dovecot-login/default
unix 2 [ ACC ] STREAM LISTENING 7197 2429/xfs   /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 7101 2389/gpm   /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 6536 2029/sdpd  /var/run/sdp
unix 2 [ ACC ] STREAM LISTENING 6792 2273/acpid /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 7262 2459/hald
@/tmp/hald-local/dbus-ECkyhYToch

More information about the users mailing list