hi ya wes
> Wes Morriston wrote:
>
> On a several occasions, somebody has managed to break into my networked
> SuSE Linux box and do some damage. On two occasions, the damage has
> made it impossible for me to log in to my own site.
shere are you located ??
> Yesterday, for example, I found the following entries in /etc/passwd.
>
> slage::0:0::/root:/bin/bash
> Slage::999:999::/tmp:/bin/bash
cute..
lots of fun to fix up this stuff...
there are tons of stuff to check into to see what they did..
alvin
> I certainly didn't put these lines in my /etc/passwd file. In
> /var/log/warn and in /var/log/messages I find a lot of stuff like this.
>
> Nov 29 04:48:20 sophia login[2221]: invalid password for `UNKNOWN' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:48:37 sophia login[2221]: invalid password for `UNKNOWN' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:48:43 sophia login[2221]: invalid password for `root' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:50:16 sophia login[2228]: invalid password for `root' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:51:03 sophia login[2231]: invalid password for `root' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:51:08 sophia login[2232]: invalid password for `root' on
> `ttyp1' from `192.117.189.128'
> Nov 29 04:53:55 sophia login[2245]: no shadow password for `Slage' on
> `ttyp0' from `192.117.189.128'
>
> I don't know how this person managed to add lines to my /etc/passwd
> file. By the time s/he was done, I couldn't log into my own system
> under *any* legitimate name and passwd, and had to boot from a floppy
> and reinstall a bunch of stuff. Is that some sort of security device
> kicking in? If so, what is the best way of undoing the damage?
>
> Can anyone advise me about the best method of preventing this sort of
> thing?
>
> Thanks.
>
> Wes
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
> the body of a message to [EMAIL PROTECTED]
>
-
To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
the body of a message to [EMAIL PROTECTED]
