[EMAIL PROTECTED] wrote:
It was painful.On Wed, 8 Jan 2003, Tibbetts, Ric wrote:I got this one resolved "this time". BUT: After this lesson, I'm goingto be sure that I have an alternate way into the box. Webmin "is" installed, but for some reason it wouldn't let me in. I'll be fixing
that. Just for curiousity's sake, how did you manage it?
I rebooted the box, and had my remote fingers & eyes watch for messages.
When sshd tried to start, it flashed a useful error message. It seems that "somehow" (and I'm still looking into "how") the sshd user got removed.
So, since I did have ftp access to the box, I grabbed a copy of /etc/passwd, and manually re-added the sshd user. Then ftp'd it back into /tmp (no root access via ftp), and had my remote fingers put it back in /etc.
sshd then started as it should.
FYI: The failure above produced no traceable error in /var/log/messages. It only put in a line indicating that sshd failed to start, with no indication of why.
All is now well.
As to the "how" it got removed... I'm still unsure. I've checked for intrusions, and can't find any traces. I also run "chkrootkit" dailey, and it has not reported anything. I suspect I may have fat fingered it a short time ago, but just had not rebooted the box in recent history. The power outage forced my hand on that one, and brought the problem to the surface.
Next project on that server: Set up a secondary way in... ;)
Ric
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
