[ale] passwd for root not working
Jim Kinney
jim.kinney at gmail.com
Tue Jan 5 21:27:38 EST 2010
Step 1 boot from a known clean CD and use the tools on it to clean up the
mess. At this point nothing on the compromised system is reliable.
Step 2 back off the data and configuration files.
Step 3 reinstall the OS. Do all security updates
Step 4 manually inspect ALL config files before reloading them
Step 5 verify all data files are NOT executable and especially NOT SUID
ROOT. Restore data files
Step 6 flog the sysadmin
On Jan 5, 2010 5:51 PM, "Atlanta Geek" <atlantageek at gmail.com> wrote:
A machine that I was not in charge of seems to have been broken into
over the weekend.
I am trying to help the sysadmin. However there seems to be some
weird things going on when I try to lock the system down.
1. found that /var/log/secure was a directory and not a file.
2. when as root I type passwd I found that passwd command was missing.
3. copied passwd from another server. When trying to set password we
get the following:
[root at localhost etc]# passwd
Changing password for user root.
New UNIX password:
Retype new UNIX password:
passwd: Authentication token manipulation error
Here are some details about shadow and passwd files
[root at localhost etc]# lsattr /etc/passwd
----i-------- /etc/passwd
[root at localhost etc]# ls -altr passwd
-rw-r--r-- 1 root root 1616 Feb 28 2009 passwd
[root at localhost etc]# ls -altr shadow
-r-------- 1 root root 954 Oct 1 08:42 shadow
[root at localhost etc]# lsattr passwd
----i-------- passwd
[root at localhost etc]# lsattr shadow
----i-------- shadow
Any assistance would be appreciated.
--
http://www.atlantageek.com
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20100105/9114b2ac/attachment.html
More information about the Ale
mailing list