-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, If you need to login from the console as user "root" again, boot up Linux and when you see the "LILO:" prompt, type "linux single" to logon to single user mode. Then edit the "/etc/passwd" file and disable the password for "root". Reboot your machine and you are done. Login as usual BUT without password. Install "portsentry" to disable port-scanning to your host, make sure you setup "tcp-wrapper" correctly and disable "telnet" from "/etc/inetd.conf" and use SSH instead. Get the RPM files from http://www.linux.com.sg/members and install them all. Then download the latest "Linux Administrators Security Guide" (LASG). I have the older version at http://moonshi.zone.com.sg Download it and read them. It is on a PDF format. Don't forget to update all your daemons applications and sign-up to the BUGTRAQ mailing-lists and whatever "Systems Security" lists. Hope this info helps. - -- Moonshi Mohsenruddin Editor, Singapore Linux Portal moonshi@linux.com.sg Asia/Singapore icq:2595480 http://www.linux.com.sg
-----Original Message----- From: gbruchhaus@makrolog.de [mailto:gbruchhaus@makrolog.de] Sent: Wednesday, September 15, 1999 9:42 PM To: suse-security@suse.com Subject: [suse-security] telnet and su attack on my linux
Hi,
today in the early morning I had something like an attack on my linux system here. After the attack, I couldn't login as root any more. I found out, that it was not possible to set a password in the "shadow password system" any more. I can use only the "normal" password mechanism.
My log-files showed me some hints to the attacker (if it is any):
Sep 15 00:13:29 d64s_pattr imapd[16408]: connect from 134.102.152.136 Sep 15 00:13:29 d64s_pattr imapd[16409]: connect from 134.102.152.136 Sep 15 00:13:34 d64s_pattr imapd[16410]: connect from 134.102.152.136 Sep 15 00:13:38 d64s_pattr imapd[16411]: connect from 134.102.152.136 Sep 15 00:13:39 d64s_pattr imapd[16412]: connect from 134.102.152.136 Sep 15 00:14:59 d64s_pattr imapd[16413]: connect from root@155.207.113.137 Sep 15 00:17:12 d64s_pattr in.telnetd[16417]: connect from 24.95.241.60 Sep 15 00:17:20 d64s_pattr login[16418]: no shadow password for `shizat' on `ttyp1' from `wintersprings-ubr-c4-60.cfl.rr.com' Sep 15 00:17:23 d64s_pattr su: (to www) shizat on /dev/ttyp1 . . . Sep 15 06:53:14 d64s_pattr su: (to nobody) root on none
In my warn-file I found the following entry:
Sep 15 00:17:20 d64s_pattr login[16418]: no shadow password for `shizat' on `ttyp1' from `wintersprings-ubr-c4-60.cfl.rr.com'
How is such an attack possible and more important: how can I prevent such an intrusion?
I am using a SuSE Linux 5.2 with a 2.0.33 kernel
Thanks for your help in advance
Gerd
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i
iQA/AwUBN9897mefe0TVuy5lEQL/owCfdR6DFscx/sfFyf+csvCnaGpw3N8An1v8 wV6A8JuHy9obW68B6OLwEeFr =ieKe -----END PGP SIGNATURE-----