Hi Krishnanarayanan, > http://cobalt-knowledge.sun.com > Article Reference # 011210-000000 > > Mircea Ivan wrote: > > > Password file locked on RaQ4 > > > > Anybody got an idea ?
Yepp <waiving hand>. In the last four weeks I've seen that on six RaQs3's and RaQ4's. Except two machines they had all patches in place, half of the boxes had OpenSSH-3.02 installed. None of the machine had recieved any hardening other than that. One of the machines had an earlier unfixed compromise (knark rootkit). The Admin Interface gives this nodescriptive error message when you try to add, edit or delete a user, right? Ok, check the permissions of /etc/shadow. Confirm that the file is there and that user "root" can access it. The permissions *should* be 400 root:root. See the related discussion on the security-list. Now try to edit the file in "vi" and save your changes. Do not copy it and work on the copy, but edit /etc/shadow directly. If you fail to be able to save the changes as "root", then be welcome to the club of the owned ones. In my case(s) a loadable kernel module had been inserted into the kernel which prevented user "root" from modifying /etc/shadow and other files. The module also masked itself pretty well and hid certain files and folders in /proc and /usr/local/src/ Analysis of a coredump and /proc/ seem to point into the general direction of KIS, although I didn't have the time for a thorough investigations as the customers were already impatiently waiving with the OS-Restore-CD. -- Mit freundlichen Gr��en / With best regards Michael Stauber [EMAIL PROTECTED] Unix/Linux Support Engineer _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
