Red Hat Bugzilla – Bug 11344
Insecurity with GDM
Last modified: 2008-05-01 11:37:55 EDT
Recently, someone got into my site and installed eggbot, using user GDM. I
have all logs available.
Created attachment 236 [details]
a user on smartworld.net recently hacked into my site.
if you examine the logs, you see that they got in via some other account before
It appears they were attacking your system as early as april:
messages.2:Apr 29 17:00:38 ns PAM_pwdb: (login) session opened for user
root by LOGIN(uid=0)
messages.2:Apr 29 18:25:43 ns login: FAILED LOGIN 1 FROM
adsl-63-194-25-89.dsl.lsan03.pacbell.net FOR root, Authentication failure
There are other signs that users were attempting to gain access as well.
They then changed the gdm password to be able to login via that account.
Are you sure you have all security errata for your release?
Created attachment 238 [details]
This is a log of a chat in irc.concentric.net in channel #phazed, which also evidences the security problems by the number of users named gdm.
This was an inside job. It's also an important lesson about who not to give a
shell account to.