Re: Root is GONE
Hello Mr. L., I managed to enter through grub After this event, please reinstall your box, because the intruder probably has left backdoors open. After the installation please run all updates, prefereably downloaded with another safe box. Bye, Leonard. -- How clean is a war when you shoot around nukelar waste? Stop the use of depleted uranium ammo! End all weapons of mass destruction. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
Root is GONE
Assistance is both urgent and appreciated.
Obviously i have been compromised.
I run 7.3 Valhalla.
i went to login to my server as root today and recieved the message.
Usr root does not exist
upon research this is in fact the case.
i boot from grub and as the boot sequence progresses it gives:
getpwnam failed for [EMAIL PROTECTED] Swap Space [OK]
I can log in as user only.
I think it is my shadow thats been breached.
boot disk does not even work. {possibly because of an earlier kernel config.
This is my only server ..please help if you can.
Les
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list
Re: Root is GONE
IF you have been hacked, you should just backup your data and reinstall.
Are you sure theres no other way you could have lost your /etc/passwd
file? That's basically the problem - /etc/passwd is either missing or
corrupted - and thus it can't find the root user. I don't think shadow
has much to do with it.
If you can copy /etc/passwd from a good RH machine of the same version,
and then run the passwd command from single-user mode, you should be at
least in a little better shape.
Jon
On Mon, 21 Jul 2003, Mr. L.R. Adrian wrote:
Assistance is both urgent and appreciated.
Obviously i have been compromised.
I run 7.3 Valhalla.
i went to login to my server as root today and recieved the message.
Usr root does not exist
upon research this is in fact the case.
i boot from grub and as the boot sequence progresses it gives:
getpwnam failed for [EMAIL PROTECTED] Swap Space [OK]
I can log in as user only.
I think it is my shadow thats been breached.
boot disk does not even work. {possibly because of an earlier kernel config.
This is my only server ..please help if you can.
Les
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list
Re: Root is GONE
Thanks for the quick response.
I dont claim to be great with linux {probly borderline mediocre :O)]
But I tried to get to the boot prompt to enter linux single but could not do
it.
as an ordinary user I cant seem to accomplish anything once in.
Can i not run single user mode because of GRUB???
thanks
Les
- Original Message -
From: Jonathan Bartlett [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, July 21, 2003 2:57 PM
Subject: Re: Root is GONE
IF you have been hacked, you should just backup your data and reinstall.
Are you sure theres no other way you could have lost your /etc/passwd
file? That's basically the problem - /etc/passwd is either missing or
corrupted - and thus it can't find the root user. I don't think shadow
has much to do with it.
If you can copy /etc/passwd from a good RH machine of the same version,
and then run the passwd command from single-user mode, you should be at
least in a little better shape.
Jon
On Mon, 21 Jul 2003, Mr. L.R. Adrian wrote:
Assistance is both urgent and appreciated.
Obviously i have been compromised.
I run 7.3 Valhalla.
i went to login to my server as root today and recieved the message.
Usr root does not exist
upon research this is in fact the case.
i boot from grub and as the boot sequence progresses it gives:
getpwnam failed for [EMAIL PROTECTED] Swap Space [OK]
I can log in as user only.
I think it is my shadow thats been breached.
boot disk does not even work. {possibly because of an earlier kernel
config.
This is my only server ..please help if you can.
Les
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list
Re: Root is GONE
Also,
In /etc/
there are three passwd files:
passwd
passwd-
an passwd.OLD
the bottom two contain the root listing on the top line the passwd file this
is deleted
Tried of course to overwrite but no permissions.
Les
- Original Message -
From: Jonathan Bartlett [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, July 21, 2003 2:57 PM
Subject: Re: Root is GONE
IF you have been hacked, you should just backup your data and reinstall.
Are you sure theres no other way you could have lost your /etc/passwd
file? That's basically the problem - /etc/passwd is either missing or
corrupted - and thus it can't find the root user. I don't think shadow
has much to do with it.
If you can copy /etc/passwd from a good RH machine of the same version,
and then run the passwd command from single-user mode, you should be at
least in a little better shape.
Jon
On Mon, 21 Jul 2003, Mr. L.R. Adrian wrote:
Assistance is both urgent and appreciated.
Obviously i have been compromised.
I run 7.3 Valhalla.
i went to login to my server as root today and recieved the message.
Usr root does not exist
upon research this is in fact the case.
i boot from grub and as the boot sequence progresses it gives:
getpwnam failed for [EMAIL PROTECTED] Swap Space [OK]
I can log in as user only.
I think it is my shadow thats been breached.
boot disk does not even work. {possibly because of an earlier kernel
config.
This is my only server ..please help if you can.
Les
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list
Re: Root is GONE
Mr. L.R. Adrian wrote:
Thanks for the quick response.
I dont claim to be great with linux {probly borderline mediocre :O)]
But I tried to get to the boot prompt to enter linux single but could not do
it.
as an ordinary user I cant seem to accomplish anything once in.
Can i not run single user mode because of GRUB???
You should be able to get into single user mode via grub.
-At the grub menu hit e
-chose the line starting with kernel, add single, and hit enter
-hit b to boot
If you can't do this because you have a grub password you can't
remember, or something. Use the redhat install cdrom and type rescue
at the initial prompt before the cdrom boots.
thanks
Les
- Original Message -
From: Jonathan Bartlett [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, July 21, 2003 2:57 PM
Subject: Re: Root is GONE
IF you have been hacked, you should just backup your data and reinstall.
Are you sure theres no other way you could have lost your /etc/passwd
file? That's basically the problem - /etc/passwd is either missing or
corrupted - and thus it can't find the root user. I don't think shadow
has much to do with it.
If you can copy /etc/passwd from a good RH machine of the same version,
and then run the passwd command from single-user mode, you should be at
least in a little better shape.
Jon
On Mon, 21 Jul 2003, Mr. L.R. Adrian wrote:
Assistance is both urgent and appreciated.
Obviously i have been compromised.
I run 7.3 Valhalla.
i went to login to my server as root today and recieved the message.
Usr root does not exist
upon research this is in fact the case.
i boot from grub and as the boot sequence progresses it gives:
getpwnam failed for [EMAIL PROTECTED] Swap Space [OK]
I can log in as user only.
I think it is my shadow thats been breached.
boot disk does not even work. {possibly because of an earlier kernel
config.
This is my only server ..please help if you can.
Les
--
Once you have their hardware. Never give it back.
(The First Rule of Hardware Acquisition)
Sam Flory [EMAIL PROTECTED]
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list
Re: Root is GONE
Mr. L.R. Adrian wrote: Also, In /etc/ there are three passwd files: passwd passwd- These are normally there. an passwd.OLD This is not normally on most systems. Maybe a someone was editing the password file by hand. Or possibly a broken script. Maybe from some from some script kiddy. the bottom two contain the root listing on the top line the passwd file this is deleted Tried of course to overwrite but no permissions. -- Once you have their hardware. Never give it back. (The First Rule of Hardware Acquisition) Sam Flory [EMAIL PROTECTED] -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
Re: Root is GONE
THANK YOU THANK YOU I managed to enter through grub, became single user then used pico to overwrite the passwd file with the missing line. upon reboot now i have su back but no passwd. Before I proceed can you verify something. If I go back into grub and single user. is the command passwd root to change the root passwd? Then type reboot??? Les - Original Message - From: Samuel Flory [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, July 21, 2003 3:23 PM Subject: Re: Root is GONE Mr. L.R. Adrian wrote: Also, In /etc/ there are three passwd files: passwd passwd- These are normally there. an passwd.OLD This is not normally on most systems. Maybe a someone was editing the password file by hand. Or possibly a broken script. Maybe from some from some script kiddy. the bottom two contain the root listing on the top line the passwd file this is deleted Tried of course to overwrite but no permissions. -- Once you have their hardware. Never give it back. (The First Rule of Hardware Acquisition) Sam Flory [EMAIL PROTECTED] -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
RE: root privileges gone!!
As root use the command chsh. This will change it for you. -cs -Original Message- From: Johansson Henrik (Svensk Börsinformation) [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 16, 2002 1:26 PM To: '[EMAIL PROTECTED]' Subject: root privileges gone!! I managed to (don't ask how) set the root login shell to /bin/bash and now I can't change it!! I tried su -s /bin/sh but it didn't work. I think it was because /bin/false is not in /etc/shells. Anybody knows how to fix this? Preferably whithout restarting the machine. - Henrik ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/re dhat-list ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
root privileges gone!!
I managed to (don't ask how) set the root login shell to /bin/bash and now I can't change it!! I tried su -s /bin/sh but it didn't work. I think it was because /bin/false is not in /etc/shells. Anybody knows how to fix this? Preferably whithout restarting the machine. - Henrik ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
RE: root privileges gone!!
edit /etc/passwd and change it there -Original Message- From: Johansson Henrik (Svensk Börsinformation) [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 16, 2002 12:26 PM To: '[EMAIL PROTECTED]' Subject: root privileges gone!! I managed to (don't ask how) set the root login shell to /bin/bash and now I can't change it!! I tried su -s /bin/sh but it didn't work. I think it was because /bin/false is not in /etc/shells. Anybody knows how to fix this? Preferably whithout restarting the machine. - Henrik ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
SV: root privileges gone!!
Tried that but i can't get around the privileges. not allowed to edit /etc/passwd. can't add another user with proper rights either. -Ursprungligt meddelande- Från: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Skickat: den 16 maj 2002 19:30 Till: [EMAIL PROTECTED] Ämne: RE: root privileges gone!! edit /etc/passwd and change it there -Original Message- From: Johansson Henrik (Svensk Börsinformation) [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 16, 2002 12:26 PM To: '[EMAIL PROTECTED]' Subject: root privileges gone!! I managed to (don't ask how) set the root login shell to /bin/bash and now I can't change it!! I tried su -s /bin/sh but it didn't work. I think it was because /bin/false is not in /etc/shells. Anybody knows how to fix this? Preferably whithout restarting the machine. - Henrik ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: SV: root privileges gone!!
Looks to me that it is the time to init 1 then edit /etc/passwd Good luck! Francisco [EMAIL PROTECTED] 16/05/02 12:31 Tried that but i can't get around the privileges. not allowed to edit /etc/passwd. can't add another user with proper rights either. -Ursprungligt meddelande- Från: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Skickat: den 16 maj 2002 19:30 Till: [EMAIL PROTECTED] Ämne: RE: root privileges gone!! edit /etc/passwd and change it there -Original Message- From: Johansson Henrik (Svensk Börsinformation) [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 16, 2002 12:26 PM To: '[EMAIL PROTECTED]' Subject: root privileges gone!! I managed to (don't ask how) set the root login shell to /bin/bash and now I can't change it!! I tried su -s /bin/sh but it didn't work. I think it was because /bin/false is not in /etc/shells. Anybody knows how to fix this? Preferably whithout restarting the machine. - Henrik ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: SV: root privileges gone!!
Johansson Henrik (Svensk Börsinformation) wrote: Tried that but i can't get around the privileges. not allowed to edit /etc/passwd. can't add another user with proper rights either. Try sudo'ing into the root account from another user. If not, there is no (known to me) way around this but to reboot or init 1 at least. Cheers, -- Javier Gostling Ingeniero de Sistemas Virtualia S.A. [EMAIL PROTECTED] Fono: +56 (2) 202-6264 x 130 Fax: +56 (2) 342-8763 Av. Kennedy 5757, of 1502 Las Condes Santiago Chile ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
Re: SV: root privileges gone!!
Tried that but i can't get around the privileges. not allowed to edit /etc/passwd. can't add another user with proper rights either. I'm not sure I understand the heart of the problem, but maybe try booting into single user mode? Maybe you'll somehow have the appropriate permissions then? -- Bruce Tong | Got me an office; I'm there late at night. Sr. Software Engineer | Just send me e-mail, maybe I'll write. Electronic Vision / FITNE | [EMAIL PROTECTED] | -- Joe Walsh for the 21st Century ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
SV: SV: root privileges gone!!
I tried sudo as well but I was not allowed to use sudo. I feared that I have to reboot which is bad because the computer is physically unavailable. At least before I have made a phone call. Thanks for all the help! / Henrik -Ursprungligt meddelande- Från: Bruce Tong [mailto:[EMAIL PROTECTED]] Skickat: den 16 maj 2002 20:59 Till: '[EMAIL PROTECTED]' Ämne: Re: SV: root privileges gone!! Tried that but i can't get around the privileges. not allowed to edit /etc/passwd. can't add another user with proper rights either. I'm not sure I understand the heart of the problem, but maybe try booting into single user mode? Maybe you'll somehow have the appropriate permissions then? -- Bruce Tong | Got me an office; I'm there late at night. Sr. Software Engineer | Just send me e-mail, maybe I'll write. Electronic Vision / FITNE | [EMAIL PROTECTED] | -- Joe Walsh for the 21st Century ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list ___ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
