LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 12-19-2003, 02:41 PM   #16
SlackinMonkeee
Member
 
Registered: Aug 2003
Location: U S A
Distribution: Slackware 11.0
Posts: 30

Original Poster
Rep: Reputation: 15

ssh doesnt work because theres something wrong with the dhcpcd script that doesnt work when it boots. so the box isnt online untill i manually dhcpcd it

and i cant do it cuz i cant get on it
 
Old 12-19-2003, 02:52 PM   #17
infamous41md
Member
 
Registered: Mar 2003
Posts: 804

Rep: Reputation: 30
if your kernel has been tampered with i'd highly suggest DELETING AND REFORMATTING unless you really know what you are doing and looking for. i would not trust a single file on that computer if i were u. there is a good reason for Tripwire- to avoid situations like this.
 
Old 12-19-2003, 03:08 PM   #18
SlackinMonkeee
Member
 
Registered: Aug 2003
Location: U S A
Distribution: Slackware 11.0
Posts: 30

Original Poster
Rep: Reputation: 15
ok, well im gonna see what i can do. Im gonna see what i can salvage. I have files that i would like to retrieve if at all possible. Then i will most likely end up reformatting.
 
Old 12-19-2003, 03:16 PM   #19
excel28
Member
 
Registered: Jun 2003
Location: California
Distribution: Slackware
Posts: 72

Rep: Reputation: 15
This is what happened when one of my friends changed their root password and forgot. Get the slack cd and boot into it.

Then mount the partition that has the /etc/shadow file (I'm not on any linux computers right now but I think that was it -- its the password file) file to /mnt ( or any directory ) ie. mount /dev/hda1 /mnt

Then edit the /etc/shadow file (which would be pico /mnt/etc/shadow). Inside will be information about the root user, then there will be an encrypted password, delete that stuff, save and reboot without the cd. Then just type root and it'll login for you without a password prompt.

Hope this helps you.

Last edited by excel28; 12-19-2003 at 03:18 PM.
 
Old 12-19-2003, 09:37 PM   #20
djbanaan
Member
 
Registered: Aug 2003
Location: Haarlem, The Netherlands
Distribution: Slackware, FreeBSD
Posts: 178

Rep: Reputation: 30
I have never dealt with any such situation before, but I guess the most sensible thing to do would be a clean install, since you can never be 100% sure that your system is clean after a compromise like this. You might want to check out the CERT guidelines for recovering from a compromised system: http://www.cert.org/tech_tips/root_compromise.html .
 
Old 12-23-2003, 05:46 AM   #21
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
SlackinMonkeee, you should listen to djbanaan's and infamous41md's advice and act on it.

Anything pointing to existance of /dev/tux can be taken as "evidence" the Tuxkit rootkit is installed, which means you should use the three R's: reformat, repartition and reinstall.If the box is remote, ask the colo ppl to take care of it, if it's a local box do it yourself. ASAP.

If you salvage stuff, make sure you salvage only stuff you can verify against a trusted source, and do NOT backup binaries. Do not use backups to restore the box state unless you can verify backup integrity with onehundred percent surety.

Check out the LQ FAQ: Security references, post #, under compromises.
 
Old 12-23-2003, 06:50 AM   #22
SlackinMonkeee
Member
 
Registered: Aug 2003
Location: U S A
Distribution: Slackware 11.0
Posts: 30

Original Poster
Rep: Reputation: 15
yea, thats exactly what i did. twice acctually (2.6.0 didnt want to cooperate the first time) Thanks for all your help guys. i Reall appriciate it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
X86-64 problems, BIG TIME. mickeyboa Fedora 4 11-27-2005 02:17 PM
network problems apparently noobie lakmilis Linux - Networking 8 05-21-2005 08:46 AM
Noobie to Linux! First time installer! chowda633 Slackware 8 10-12-2003 03:02 PM
F...ed up big time neo77777 Slackware 6 12-01-2002 02:23 PM
big BIG javascript & loading time luigi Programming 3 09-10-2001 03:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 06:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration