Have I been hacked? Shadow file deleted

Jose Luis Hime jhime at synchro.com.br
Fri Sep 9 14:57:31 UTC 2005


Only I have the root password, that I change every time the shadow file is
deleted. The passwd file is ok, also.

The shadow has the following permissions:
	-r--------  1 root root 8233 Sep  9 10:01 shadow

No crontab, at or other scheduled jobs.

No suspect process in "ps".

So... the last resort is really to re-install my box.

Can I use the "update" method to fix any problems without destroying my
installation? It took me 3 days to complete it!

Thanks in any way!

-----Original Message-----
From: fedora-list-bounces at redhat.com [mailto:fedora-list-bounces at redhat.com]
On Behalf Of Scot L. Harris
Sent: Friday, September 09, 2005 11:22 AM
To: Fedora List
Subject: RE: Have I been hacked? Shadow file deleted

On Fri, 2005-09-09 at 10:06, Jose Luis Hime wrote:
> chkrootkit and rkhunter do not report any problem.
> 
> I am still with this issue, any hints?
> 

How many people have access to root?  Assume you have changed the root
password as well as checked the /etc/passwd and /etc/shadow files for
any odd entries.

What permissions does the /etc/shadow file have?

You should also check all cron jobs to see if someone set something up
there.

Last resort is to do a complete bare metal install again and keep root
password to yourself.



-- 
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list




More information about the users mailing list