From: Ahsan Ali <ahsanali@gmail.com>
To: linux-admin@vger.kernel.org
Subject: Re: Root Permissions
Date: Thu, 1 Jul 2004 10:34:08 +0500 [thread overview]
Message-ID: <17daa85604063022341453892a@mail.gmail.com> (raw)
In-Reply-To: <20040701050425.GA7890@cmi.ac.in>
Hello Anindya,
The only surefire way of recovering from this is to rebuild the
machines from scratch. He could have installed several backdoors into
the system and no matter how many you find (if any) there will almost
certainly be more.
In fact, replacing netstat, ps etc with modified binaries which are
standard with "root-kits" he pretty much guarantees that you will not
even be able to see the process(es) that he installed that listen on
some other port for incoming connections.
So... if I were in your place, I would most certainly rebuild from scratch.
And oh... use a LILO password.
All you need to add are two lines:
password=<password>
restricted
to the LILO global config section in /etc/lilo.conf. The restricted
keyword will allow normal boot but will prompt you for the password
specified if you attempt to pass lilo any parameters at bootup.
Be sure to run lilo after making changes to /etc/lilo.conf, also since
the password is in clear text, make sure lilo.conf is not readable by
anyone except root.
chmod 600 /etc/lilo.conf
Regards,
Ahsan Ali
On Thu, 1 Jul 2004 10:34:25 +0530, Anindya Mozumdar <anindya@cmi.ac.in> wrote:
>
> Hi,
> The following problem may be trivial to some of you, however my
> knowledge of linux is limited, and I dont understand how can it be
> done.
> In our institute, we use Debian Linux, and the boot loader is lilo.
> For those machines where the lilo password is not set, ANY ONE can
> get a root shell by simply interrupting the boot process and typing
> linux init=/bin/sh in the boot prompt.
> One of my friends obtained a root shell in this manner, and has
> either made some changes, or set up some program, by which he can
> become root any time, without acutally knowing the root password,
> which is known only to our system administrator. What may be the
> possible things he has done to setup his program, and how can it be
> reversed ?
> Thanks in advance.
> Anindya Mozumdar.
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2004-07-01 5:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-01 5:04 Root Permissions Anindya Mozumdar
2004-07-01 5:34 ` Ahsan Ali [this message]
2004-07-01 8:13 ` Alexander Economou
2004-07-02 18:27 ` Bradley Hook
2004-07-01 8:42 ` Anindya Mozumdar
2004-07-01 13:25 ` Adam Lang
2004-07-02 7:12 ` Miguel González Castaños
-- strict thread matches above, loose matches on Subject: below --
2004-07-01 8:51 Craig McDonald
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=17daa85604063022341453892a@mail.gmail.com \
--to=ahsanali@gmail.com \
--cc=linux-admin@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.