Re: can not log in as root or a user

Tue, 08 Aug 2000 13:30:29 -0700 

Ok, I have found the replaced files in the /bin directory. They replaced the
login, ls, netstat, ps, and pwd files. I have restored those from the backup
and am able to get into the server again. I was able to access the server by
enabling the rlogin from single user mode and logging in remotely. Is there
any way to look at these files to see what exactly there were doing. I may
be able to get additional information to track this person down. The
anonyous ftp came from Aurora.kerszov.hu (194.196.10.181)


Thanks,


Gary


> After a hack, it's possible that the pwconv program has been altered, as
> well as the login, etc...
>
> Look & see if the passwd file is there or not (both the normal one & the
pam
> one), & see if they've been modified.
>
> Also, check the login program...  One of the hacks on those looks like a
> failed login, so that you try all your different passwords (thinking
you've
> misremembered which one to use on a particular system), and records all
> those passwords for the cracker to use later.
>
> > -----Original Message-----
> > From: Gary Carr [SMTP:[EMAIL PROTECTED]]
> > Sent: Tuesday, August 08, 2000 1:12 PM
> > To: [EMAIL PROTECTED]
> > Subject: can not log in as root or a user
> >
> > One of our servers may have gotten hacked thru the ftp bug causing all
> > logins to get denied. I can not log into the server as root or any other
> > login unless I boot to single user mode. I have checked for the nologin
> > file
> > in the /etc directory and it is not present. What else do I need to
check
> > to
> > find the cause of not being able to log into the console as root or any
> > other user? BTW, I have also booted to single user mode and changed the
> > root
> > password and even run the passconv program to make sure the shadow file
> > gets
> > updated. I'm at a loss here and any help would be appreciated.
> >
> >
> > Thanks,
> >
> > Gary
> >
> >
> >
> >
> > _______________________________________________
> > Redhat-list mailing list
> > [EMAIL PROTECTED]
> > https://listman.redhat.com/mailman/listinfo/redhat-list
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
>



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to