From: Stephen Samuel <samuel@bcgreen.com>
To: 333101@personal.net.py, linux-newbie@vger.kernel.org
Subject: Re: su fails
Date: Wed, 16 Jul 2003 18:11:10 -0700 [thread overview]
Message-ID: <3F15F7AE.8060705@bcgreen.com> (raw)
In-Reply-To: <1058288791.4987.20.camel@gandalf.ciccio-net.cjb.net>
I haven't had the timer for a full report, but, althought I'm not
CLEAR that his box has been rooted, things like minor changes to
su, and other wierd things failing are signs of a rootkit (yes,
a clumsy one) being installed. Having su suddenly start to
give different messages is a sign that SOMEBODY has changed
SOMETHING.
If you can't show that you changed it, then you have to presume
that somebody else has.
At the very least, I think he should run something like chkrootkit to see
if any well-known root kit is being used.
Alan Bort wrote:
> Well... I think bash actually has a builtin su... so if you reinstall
> bash (not a very big package anyway)... it might help. since you've
> already installed shadow again...
>
> Anyway... I agee with the (quote)'I'd just load a new OS and migrate the
> user data over to it.'(/quote) idea...
>
> El mar, 15-07-2003 a las 12:38, Andrew Langdon-Davies escribió:
>
>>>>>It sounds to me like you've been rooted, and somebody installed
>>>>>a trojan. I'd do a full hunt for signs of a rootkit. When in
>>>>>doubt (especially if there are ony a few people on your system),
>>>>>I'd just load a new OS and migrate the user data over to it.
>>>
>>>I don't want to sound like Pollyanna, but interpreting your initial
>>>trouble report as evidence of a breakin seems to me like an enormous
>>>leap.
>>>
>>>>I thought reinstalling shadow had put everything right, but there are
>>>>still hiccups. For example, although I can now su again --that is, it
>>>>now recognises the password-- if I give the wrong password I still get
>>>>just 'sorry'.
--
Stephen Samuel +1(604)876-0426 samuel@bcgreen.com
http://www.bcgreen.com/~samuel/
Powerful committed communication. Transformation touching
the jewel within each person and bring it to life.
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
next prev parent reply other threads:[~2003-07-17 1:11 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-07-14 11:04 su fails Andrew Langdon-Davies
2003-07-14 15:15 ` Ray Olszewski
[not found] ` <oprsa696n7hmmv6x@smtp.arrakis.es>
2003-07-14 17:52 ` Andrew Langdon-Davies
2003-07-14 18:23 ` pa3gcu
2003-07-14 18:48 ` Andrew Langdon-Davies
[not found] ` <3F133105.7010309@bcgreen.com>
2003-07-15 10:20 ` Andrew Langdon-Davies
2003-07-15 15:13 ` Ray Olszewski
2003-07-15 16:38 ` Andrew Langdon-Davies
2003-07-15 17:06 ` Alan Bort
2003-07-15 17:26 ` Mr. James W. Laferriere
2003-07-15 18:20 ` Andrew Langdon-Davies
2003-07-15 19:37 ` Ray Olszewski
[not found] ` <oprseazgwzhmmv6x@smtp.arrakis.es>
2003-07-16 8:55 ` Andrew Langdon-Davies
2003-07-15 17:29 ` Ray Olszewski
2003-07-17 1:11 ` Stephen Samuel [this message]
2003-07-17 10:55 ` Andrew Langdon-Davies
-- strict thread matches above, loose matches on Subject: below --
2003-07-15 18:08 beolach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F15F7AE.8060705@bcgreen.com \
--to=samuel@bcgreen.com \
--cc=333101@personal.net.py \
--cc=linux-newbie@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox