[ale] Console Craziness

Martin Modahl martin at mercury.mis-hq.com
Wed Jun 14 10:01:08 EDT 2000


Well after a day of wondering what I had possibly done to screw up login,
I stood back and looked at everything. Two things stood out. The missing
line break when login failed and the fact that login wasn't logging
anything to syslog. I decided it was time to so something. I went down to
single user and found ls, ps, login, find, netstat, syslog, and ifconfig
had been rooted. Re-installed stock ls and find and found a cracker had
set up shop on my box. I'm still not sure how he got in, but when he did
he ran two or more rootkits and setup his eggdrop irc bot. Full reinstall.

It easily taught me to keep current on bugtraq and the like, and also that
if I don't remember screwing something up, it probably wasn't me. 

--
Martin Modahl
mmodahl at resnet.gatech.edu

On Tue, 13 Jun 2000, Gary Maltzen wrote:

> Since you can SSH in, we can rule out a shell in /etc/passwd that is not
> in /etc/shells
> 
> Did you check /etc/hosts.allow to see if it allows LOCAL logins
> 
> Is there a /var/log/secure file? If so, does it give a clue?
> 
> >Late last night I was forced to reboot a DNS server running Linux 2.2.12
> >remotely. I get into the office this morning and tried to hook a keyboard 
> >up to it and, of course, the keyboard didn't function. I rebooted the box
> >again with a monitor and keyboard attached to it so I could do some
> >console work. Now from the console whatever login/password combination I
> >try gives me a Login Incorrect error, the strange part is that I can still 
> >ssh in using the same logins. I've tried everything. Caps Locks, Num 
> >Locks, I've typed all the password letters into the Login: prompt to make 
> >sure that the letters on the keyboard work. What could it possibly be? 
> 

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list