Have I been hacked? Shadow file deleted
Jose Luis Hime
jhime at synchro.com.br
Thu Sep 8 19:45:11 UTC 2005
Hello,
I installed a new server on Tuesday using Fedora Core 4 and today the shadow
file was deleted three times. Since nothing was being done on the box at
those times, I believe I was hacked.
I am using the new Fedora Core 4 and I have the following services running:
- named (from Fedora installation)
- dovecot (from Fedora installation) (for imap/pop3)
- sendmail (from Fedora installation)
- clamav (an anti-virus that I have been using for more than 1 year
without problems) (the latest version from the vendor)
- sshd (from Fedora installation)
- apache (version 2, the latest version from apache site)
- php5 (the latest version from the site)
- mySQL (the latest version from the site, listening only at the
local port)
I WAS using mDNSResponder, but I have uninstalled it after the problems.
Since then, the server is stable (for how long?).
The output of a 'netstat -anp' command is at the end of this e-mail.
So, does someone of you know about any exploit that I must be aware of? I do
not know how to get around this problem!
Thanks in advance,
J. Hime
===================================================================
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2302/mysqld
tcp 0 0 xxx.xxx.xx.xxx:53 0.0.0.0:* LISTEN 1926/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1926/named
tcp 0 0 xxx.xxx.xx.xxx:22 0.0.0.0:* LISTEN 3519/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2375/sendmail: acce
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1926/named
tcp 0 0 :::993 :::* LISTEN 2336/dovecot
tcp 0 0 :::995 :::* LISTEN 2336/dovecot
tcp 0 0 :::110 :::* LISTEN 2336/dovecot
tcp 0 0 :::143 :::* LISTEN 2336/dovecot
tcp 0 0 :::80 :::* LISTEN 2398/httpd
tcp 0 0 ::1:953 :::* LISTEN 1926/named
tcp 0 0 :::443 :::* LISTEN 2398/httpd
unix 2 [ ACC ] STREAM LISTENING 7238 2449/dbus-daemon
/var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 6930 2344/clamd clamav/clamd.sock
unix 2 [ ACC ] STREAM LISTENING 6996 2355/clamav-milter clmilter.sock
unix 2 [ ACC ] STREAM LISTENING 6824 2302/mysqld /var/lib/mysql/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 6934 2336/dovecot
/var/run/dovecot-login/default
unix 2 [ ACC ] STREAM LISTENING 7197 2429/xfs /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 7101 2389/gpm /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 6536 2029/sdpd /var/run/sdp
unix 2 [ ACC ] STREAM LISTENING 6792 2273/acpid /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 7262 2459/hald
@/tmp/hald-local/dbus-ECkyhYToch
More information about the users
mailing list