hi ya wes

> Wes Morriston wrote:
> 
> On a several occasions, somebody has managed to break into my networked
> SuSE Linux box and do some damage.  On two occasions, the damage has
> made it impossible for me to log in to my own site.  

shere are you located ??

> Yesterday, for example, I found the following entries in /etc/passwd.  
> 
> slage::0:0::/root:/bin/bash
> Slage::999:999::/tmp:/bin/bash

cute..

lots of fun to fix up this stuff...
there are tons of stuff to check into to see what they did..

alvin

> I certainly didn't put these lines in my /etc/passwd file.  In
> /var/log/warn and in /var/log/messages I find a lot of stuff like this.  
> 
> Nov 29 04:48:20 sophia login[2221]: invalid password for `UNKNOWN' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:48:37 sophia login[2221]: invalid password for `UNKNOWN' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:48:43 sophia login[2221]: invalid password for `root' on
> `ttyp0' from `192.116.194.173' 
> Nov 29 04:50:16 sophia login[2228]: invalid password for `root' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:51:03 sophia login[2231]: invalid password for `root' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:51:08 sophia login[2232]: invalid password for `root' on
> `ttyp1' from `192.117.189.128'
> Nov 29 04:53:55 sophia login[2245]: no shadow password for `Slage' on
> `ttyp0' from `192.117.189.128'
> 
> I don't know how this person managed to add lines to my /etc/passwd
> file.  By the time s/he was done, I couldn't log into my own system
> under *any* legitimate name and passwd, and had to boot from a floppy
> and reinstall a bunch of stuff.  Is that some sort of security device
> kicking in?  If so, what is the best way of undoing the damage?
> 
> Can anyone advise me about the best method of preventing this sort of
> thing?
> 
> Thanks.
> 
> Wes
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
> the body of a message to [EMAIL PROTECTED]
> 


-
To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
the body of a message to [EMAIL PROTECTED]

Reply via email to