Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Help! I Was Hacked, Need help recovering root user
tl511
post Nov 29 2003, 02:22 AM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 2
Joined: 29-November 03
Member No.: 1,879



I hate to admit this, but I was hacked. Today I ssh'd to my box and no root user was there. Actually, there is an entry in /etc/passwd for root and /etc/shadow, but I cannot su as root nor is there any root icon at login screen (SuSE 8.0).

Cany anyone help? I tried passwd recovery many ways but nothing seems to change it when I normal boot. I can get on the system as the other users, but not as root. What can I do? I closed all the ports on my firewall until I figure out how I was hacked. I did notice in my log that just recently this showed up (as in today) inetd getpwnam: root: No such user.

I tried removing the text between the first two colons after root in /etc/shadow but it did not seem to help. Any ideas how I can get back in as root?

Thanks for the help,
Go to the top of the page
 
+Quote Post
hughesjr
post Nov 29 2003, 08:30 AM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



Yes ... I can probably get you back in as root ...

BUT then you should check for a rootkit install....

If a rootkit has been installed, it modifies executable files (like ps, netstat, top, iptables, etc.) to mask activity and not show certian processes. Basically, you can't trust any executeable on the system if a rootkit has been installed.

If any rootkit has been installed, then you should copy all important data off the machine then erase everything (including all the partitions) and reinstall. Make sure to use the fdisk from your CDROM and not the the fdisk already on the hard drive when you repartition or you may have an invisable partition still there...

Here is a good article with some programs to do rootkit detection.
-------------------------------------------------------
How to get back on the system as root {... maybe smile.gif }

(I am doing this on a SuSE 9.0 system vice 8.0 ... so the steps might be a little different)

Both these solutions require physical access to the machine...

1. Boot to single user mode by typing the number 1 in the boot options block. You maybe asked for the root password (if so, this won't work for you). Some versions of SUSE don't ask for the root password.

2. Boot with the SuSE install CD (cd-1)...select Rescue Mode. This ask for a username (root) but no password ...

Once at the prompt from either method, type passwd root to try and set the root password...

passwd for root may not work if there is a rootkit installed ... and even if it works, there may still be a rootkit installed.

Reboot and login as root ... download and install chkrootkit per the instructions on the site. There is also lots of good info at the chkrootkit site.


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
hughesjr
post Nov 29 2003, 10:35 AM
Post #3


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



Here is another great article on checking for rootkits (page 2 is especially good ... it tells you how to scan your system).


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
hughesjr
post Nov 29 2003, 08:35 PM
Post #4


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



In our news section look at the Debian.org rootkit issues that happened 11/19 and 11/20:

http://www.linuxhelp.ca/forums/index.php?a...t=ST&f=6&t=2056


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 14th December 2017 - 03:23 AM