[CentOS] Another Fedora decision

Thu Feb 5 23:07:10 UTC 2015
Les Mikesell <lesmikesell at gmail.com>

On Thu, Feb 5, 2015 at 4:39 PM, Valeri Galtsev
<galtsev at kicp.uchicago.edu> wrote:
>
>>
>> Yes, /etc/shadow would have always been readable only by root by
>> default.   The interesting question here is whether an intruder did
>> it, clumsily leaving evidence behind, or whether it is just a local
>> change from following some bad advice about things that need to be
>> changed - or running some script to make those changes.  The latter
>> seems more likely to me.
>>
>
> Be it me, I would consider box compromised. All done on/from that box
> since probable day it happened compromised as well. If there is no way to
> establish the day, then since that system originally build. With full
> blown sweeping up the consequences. Finding really-really-really
> convincing proof it is not a result of compromise (and yes, fight one's
> wishful thinking!).

You aren't being paranoid enough.  If it happened as a result of
following some instructions or running a script, it's not just the box
that is compromised, it is everything you think you know.   On the
other hand it could have just been an accidental typo.


-- 
   Les Mikesell
     lesmikesell at gmail.com