On a several occasions, somebody has managed to break into my networked
SuSE Linux box and do some damage. On two occasions, the damage has
made it impossible for me to log in to my own site.
Yesterday, for example, I found the following entries in /etc/passwd.
slage::0:0::/root:/bin/bash
Slage::999:999::/tmp:/bin/bash
I certainly didn't put these lines in my /etc/passwd file. In
/var/log/warn and in /var/log/messages I find a lot of stuff like this.
Nov 29 04:48:20 sophia login[2221]: invalid password for `UNKNOWN' on
`ttyp0' from `192.116.194.173'
Nov 29 04:48:37 sophia login[2221]: invalid password for `UNKNOWN' on
`ttyp0' from `192.116.194.173'
Nov 29 04:48:43 sophia login[2221]: invalid password for `root' on
`ttyp0' from `192.116.194.173'
Nov 29 04:50:16 sophia login[2228]: invalid password for `root' on
`ttyp0' from `192.116.194.173'
Nov 29 04:51:03 sophia login[2231]: invalid password for `root' on
`ttyp0' from `192.116.194.173'
Nov 29 04:51:08 sophia login[2232]: invalid password for `root' on
`ttyp1' from `192.117.189.128'
Nov 29 04:53:55 sophia login[2245]: no shadow password for `Slage' on
`ttyp0' from `192.117.189.128'
I don't know how this person managed to add lines to my /etc/passwd
file. By the time s/he was done, I couldn't log into my own system
under *any* legitimate name and passwd, and had to boot from a floppy
and reinstall a bunch of stuff. Is that some sort of security device
kicking in? If so, what is the best way of undoing the damage?
Can anyone advise me about the best method of preventing this sort of
thing?
Thanks.
Wes
-
To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
the body of a message to [EMAIL PROTECTED]
