Bug 176
Summary: | Break in via NFS | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | eric-dean |
Component: | distribution | Assignee: | Preston Brown <pbrown> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 5.1 | Keywords: | Security |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 1998-11-24 16:48:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
eric-dean
1998-11-23 18:38:18 UTC
IMHO, these messages: Nov 21 16:51:33 ovm2 PAM_pwdb[6092]: (login) session opened for user mobb by (uid=0) Nov 21 16:51:33 ovm2 login[6092]: LOGIN ON ttyp0 BY mobb FROM pool041-max1.ds8-ca-us.dialup.earthlink.net Nov 21 16:51:36 ovm2 PAM_pwdb[6104]: (su) session opened for user jeremy by mobb(uid=0) would suggest that someone actually broke in. From the following lines Nov 21 16:55:40 ovm2 kernel: eth0: Setting promiscuous mode. Nov 21 16:55:40 ovm2 kernel: eth0: Setting promiscuous mode. it would also seem that whoever broke into your machine also put your ethernet card into promiscuous mode (it basicly means that the intruder would see anything sent over that ethernet, even if the compromized computer is not a source or a destination) and probably tried to listen for passwords that way. Did you have the NFS updates (the ones that came out in the end of August) installed? Anyway, you may want to consider: - reinstalling the system - asking all people in that network to change their passwords - be quicker in installing security updates next time. If you are not using If you are not using the latest NFS errata packages, you need to be. nfs-server-2.2beta29-7.i386.rpm nfs-server-clients-2.2beta29-7.i386.rpm from updates.redhat.com. Please re-open this bug if you are using these versions when the break-in occurred. |