SEO

Stock Slackware 10.2 install. Up about six weeks with rudimentary
password and login as root. This morning's session went fine, but I
must have picked up a bug or virus because I cannot log in again this
afternoon. Any ideas on how go get into the system? Rebooting with the
install disk and using "passwd" does not work. I really would not like
to rebuild this disk, but if I have to - I have to.

Any ideas gratefully accepted.

Marv

On 2006-07-19, Marv Soloff <msoloff@worldnet.att.net> wrote:
> Stock Slackware 10.2 install. Up about six weeks with rudimentary
> password and login as root. This morning's session went fine, but I
> must have picked up a bug or virus because I cannot log in again this
> afternoon.

"A bug or virus"? If it was an easily crackable root password, and your
box was on the public internet, then you've probably been cracked. If
that's the case, it's really safest to erase and reinstall. (Note, not
just reinstall, but erase!)

To verify that, boot off of known-good media and run something like
chkrootkit.

To prevent potential future cracks, disallow ssh in as root, and pick a
strong password for root and any users you have.

> Any ideas on how go get into the system? Rebooting with the
> install disk and using "passwd" does not work.

Rebooting with the install disk and using passwd sets the password for
the ramdisk loaded into memory, not the password on your hard disk. To
change the password on disk, mount your partitions (say under /mnt), run
chroot /mnt, then try to run passwd (this procedure untested).

> I really would not like
> to rebuild this disk, but if I have to - I have to.

If you can find convincing evidence that you've been cracked, then you
have to. But don't overreact too much yet; it's possible that you just
b0rked something along the line. IIRC the new FAQ has some helpful
information to tell if you've been cracked; try
http://www.therockgarden.ca/aolsfaq.txt and look for the entry "Help! I
think I've been hacked!!!"

--keith

--
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom
see X- headers for PGP signature information

Great Thanks! Will try these suggestions.

Marv

Keith Keller wrote:
> On 2006-07-19, Marv Soloff <msoloff@worldnet.att.net> wrote:
>
>>Stock Slackware 10.2 install. Up about six weeks with rudimentary
>>password and login as root. This morning's session went fine, but I
>>must have picked up a bug or virus because I cannot log in again this
>>afternoon.
>
>
> "A bug or virus"? If it was an easily crackable root password, and your
> box was on the public internet, then you've probably been cracked. If
> that's the case, it's really safest to erase and reinstall. (Note, not
> just reinstall, but erase!)
>
> To verify that, boot off of known-good media and run something like
> chkrootkit.
>
> To prevent potential future cracks, disallow ssh in as root, and pick a
> strong password for root and any users you have.
>
>
>>Any ideas on how go get into the system? Rebooting with the
>>install disk and using "passwd" does not work.
>
>
> Rebooting with the install disk and using passwd sets the password for
> the ramdisk loaded into memory, not the password on your hard disk. To
> change the password on disk, mount your partitions (say under /mnt), run
> chroot /mnt, then try to run passwd (this procedure untested).
>
>
>>I really would not like
>>to rebuild this disk, but if I have to - I have to.
>
>
> If you can find convincing evidence that you've been cracked, then you
> have to. But don't overreact too much yet; it's possible that you just
> b0rked something along the line. IIRC the new FAQ has some helpful
> information to tell if you've been cracked; try
> http://www.therockgarden.ca/aolsfaq.txt and look for the entry "Help! I
> think I've been hacked!!!"
>
> --keith
>

Marv Soloff wrote:
> afternoon. Any ideas on how go get into the system? Rebooting with the
> install disk and using "passwd" does not work.

Boot from an install cdrom,( or any linux bootable cd)
mount the partition that has /etc/shadow.
Delete the hashed password entry for root.
(Not the whole line, just the part thats represents the password.)

Now when you reboot, root has a blank password.

note: You should really only do that if you just forgot
your password, not if you got cracked.

--
paul w.

Marv Soloff <msoloff@worldnet.att.net> wrote:
> Stock Slackware 10.2 install. Up about six weeks with rudimentary
> password and login as root.

I hope that you are aware that you should do most of your work as an
ordinary user and only su to root when you absolutely have to.

> This morning's session went fine, but I must have picked up a bug or
> virus because I cannot log in again this afternoon.

If you do a mistake or run any kind of trojan as root you can really mess
things up. Others have already given pointers on how to reset the root
password and to reinstall from scratch if you think you have been hacked.

regards Henrik
--
The address in the header is only to prevent spam. My real address is:
hc8(at)uthyres.com Examples of addresses which go to spammers:
root@variousus.net root@localhost

paul wisehart <pkw@lupulin.net>:
> Marv Soloff wrote:
> > afternoon. Any ideas on how go get into the system? Rebooting with the
> > install disk and using "passwd" does not work.
>
> Boot from an install cdrom,( or any linux bootable cd)
> mount the partition that has /etc/shadow.
> Delete the hashed password entry for root.
> (Not the whole line, just the part thats represents the password.)
>
> Now when you reboot, root has a blank password.
>
> note: You should really only do that if you just forgot
> your password, not if you got cracked.

And disconnect from the net before you do any of it. No point in
fixing it if the cracker's watching you do it (keystroke loggers ...).


--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling Linux Counter #80292
- - http://www.faqs.org/rfcs/rfc1855.html
Spammers! http://www.spots.ab.ca/~keeling/emails.html

paul wisehart wrote:
> Marv Soloff wrote:
>
>> afternoon. Any ideas on how go get into the system? Rebooting with
>> the install disk and using "passwd" does not work.
>
>
> Boot from an install cdrom,( or any linux bootable cd)
> mount the partition that has /etc/shadow.
> Delete the hashed password entry for root.
> (Not the whole line, just the part thats represents the password.)
>
> Now when you reboot, root has a blank password.
>
> note: You should really only do that if you just forgot
> your password, not if you got cracked.
>
> --
> paul w.

Does not work - used vi to delete hashes on both etc/passwd and
etc/shadow. Thanks anyway.

Marv

Marv Soloff wrote:
> Does not work - used vi to delete hashes on both etc/passwd and
> etc/shadow. Thanks anyway.
>
Yes, it works. You did something wrong.
There's nothing to delete from /etc/passwd.
--
paul

On Wed, 19 Jul 2006 12:48:24 -0700
Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote:
> On 2006-07-19, Marv Soloff <msoloff@worldnet.att.net> wrote:
> > Stock Slackware 10.2 install. Up about six weeks with rudimentary
> > password and login as root. This morning's session went fine, but I
> > must have picked up a bug or virus because I cannot log in again this
> > afternoon.
>
....
>
> If you can find convincing evidence that you've been cracked, then you
> have to. But don't overreact too much yet; it's possible that you just
> b0rked something along the line. IIRC the new FAQ has some helpful
> information to tell if you've been cracked; try
> http://www.therockgarden.ca/aolsfaq.txt and look for the entry "Help! I
> think I've been hacked!!!"
>

Perhaps, this writeup can be useful, too:

http://www.ducea.com/2006/07/17/how-...-linux-server/

--
Mikhail

paul wisehart wrote:
> Marv Soloff wrote:
>
>> Does not work - used vi to delete hashes on both etc/passwd and
>> etc/shadow. Thanks anyway.
>>
> Yes, it works. You did something wrong.
> There's nothing to delete from /etc/passwd.
> --
> paul

Not to be a wiseass, I mounted the partition (hda1) and went to
etc/shadow. The root entry has a 4 digit number and a batch of zeros.
Comparing this entry to one of my other 10.2 drives, the #2 drive shows
a large entry, hashed, for this root entry. If I edit this entry, I will
most likely wind up with no root password. The problem is, what am I
mounting when I mount hda1?

You may me right, that I am doing something wrong. However, at this
point, I don' know what

Regards,

Marv