Malicious Script

jspsandhu · 09-28-2005, 03:19 PM

It seems that there is some sort of script that has been run on my computer where in I cannot logon using root as the username or login name

I can logon to the single user mode via grub and edit files so as I have access to all the files on the server.

If such a script is run by one of my co worker where exactly will that script be and how can I fix the problem.

What is the command to check the latest updated or added files?

If I am trying to create such a script which runs when the system starts and when the screen comes for logon and I type root as the username and push enter it again flashes the same screen and never prompts for the password.

How can I create a script where in I am not prompted for a password at the logon prompt?

Regards

JAS

Ben64 · 09-28-2005, 03:22 PM

What distro are you running, can you ssh in as root, or log into a terminal as root?

jspsandhu · 09-28-2005, 03:28 PM

Its on Fedora Core 3

I am not sure about SSH and terminal as this is just a stand alone computer not a part of the network any more.

tomj88 · 09-28-2005, 03:34 PM

Most distro's stop you loggin in as root from a GUI login screen such as KDM or GDM. The way to get root access is to open a shell like konsole and type "su", then enter your root password. This should give you root access (in this shell) until you type "exit" or close the shell.

jspsandhu · 09-28-2005, 03:38 PM

No No No

You got it all wrong

I am not able to logon as root

I am running linux in init 3 no graphics.

Whenever I type root for login name it flashes and then comes back to same login name screen

I know a script is run initially that is doing this but this is like a challenge so wanted to know how to determine what script is used and how can i get rid of this problemo?

Ben64 · 09-28-2005, 03:44 PM

ok.... try this

Log in as any user (not root of course)

and type

Code:

sudo su -

jspsandhu · 09-28-2005, 03:58 PM

Sorry to mention no user can login to this computer either

The same thing happens with other usernames

It flashes and again I am prompted to type the login name.

How to check the files that have been recently modified or created on the system in single user mode?

Vgui · 09-28-2005, 05:07 PM

Hmm, I would consider checking out the /etc/password and /etc/shadow files, perhaps there is some oddness in there. As you can't login, and the computer is standalone, I would recommend using a live CD. Boot it up, and mount the old drive, then dig through those two files (back them up first). There may have been a ! added in front of the encrypted password for root, which disables login. Another slight option is the nologin file has been touched (I think it is in /etc/). That might be a Slackware specific thing, and either way it _should_ be removed on reboot.

Brian1 · 09-28-2005, 05:35 PM

This is what I am guessing your problem is. You have upgraded KDE and there is a new kdmrc configuration file now that does not allow root logins. What you need to do is login as a regular user. Open a terminal and su - in that. Now if you open this file /etc/X11/xdm/kdmrc or it could be here /etc/kdm/kdm/kdmrc. In there, there is two lines that need to be changed. They look like this now ' AllowRootLogin=false' change it to ' AllowRootLogin=true '. Note change both lines. Save and exit. Logout and see if root login works. Whenever you upgrade kde again this may happen again.

Brian1

jspsandhu · 09-28-2005, 05:38 PM

I am going to check that but one good thing to add up now is I connected this to computer to my Netgear router and checked the attached devices on the router LAN table and was able to determine the ipaddress for this computer

I connected my second FC1 to the same router and tried ssh and was able to connect remotely and it did prompted for root password but my password was changed too

Then I reebooted the computer with ctrl+alt+del luckily the grub password was not changed so I was able to get into the a option for grub and was able to run init 1

I changed my root password and now can logon to the machine from the second computer on SSH as well as I have access to all the files

As you mentioned let me compare the two files now as I have SSH access on the Second linux machine

This is getting exciting

Regards
Jaspreet

jspsandhu · 09-29-2005, 10:50 AM

Hi all

I could not resolve the problem but found another way to create the problem

If you remove the x from the /etc/passwd file you will not be prompted for the password
And if you make the default logon to /sbin/nologin you will not able to logon with the username

But how to do this with a script is my question?

Is there some kind of software that can show the latest modified files?

slackie1000 · 09-29-2005, 01:44 PM

hi there,

Quote:

Originally posted by jspsandhu
But how to do this with a script is my question?
Is there some kind of software that can show the latest modified files?

you can achieve that by brute force.

Code:

find / -mtime XX -print
find /etc -mtime XX -print

or something similar..
regards,
slackie1000

jspsandhu · 09-29-2005, 05:05 PM

Thanks all

I could get to the solution
The problem was

1) In the /etc/pam.d/login file auth was set to sufficient it will not ask for a password

2) If the login file is deleted no one will be able to logon to the system after typing the username you will be again prompted for the username or rather the login name

Thanks guys for all your efforts.