[SuSE Linux] security breaches... Help!
On a several occasions, somebody has managed to break into my networked SuSE Linux box and do some damage. On two occasions, the damage has made it impossible for me to log in to my own site. Yesterday, for example, I found the following entries in /etc/passwd. lage::0:0::/root:/bin/bash Slage::999:999::/tmp:/bin/bash I certainly didn't put these lines in my /etc/passwd file. In /var/log/warn and in /var/log/messages I find a lot of stuff like this. Nov 29 04:48:20 sophia login[2221]: invalid password for `UNKNOWN' on `ttyp0' from `192.116.194.173' Nov 29 04:48:37 sophia login[2221]: invalid password for `UNKNOWN' on `ttyp0' from `192.116.194.173' Nov 29 04:48:43 sophia login[2221]: invalid password for `root' on `ttyp0' from `192.116.194.173' Nov 29 04:50:16 sophia login[2228]: invalid password for `root' on `ttyp0' from `192.116.194.173' Nov 29 04:51:03 sophia login[2231]: invalid password for `root' on `ttyp0' from `192.116.194.173' Nov 29 04:51:08 sophia login[2232]: invalid password for `root' on `ttyp1' from `192.117.189.128' Nov 29 04:53:55 sophia login[2245]: no shadow password for `Slage' on `ttyp0' from `192.117.189.128' I don't know how this person managed to add lines to my /etc/passwd file. By the time s/he was done, I couldn't log into my own system under *any* legitimate name and passwd, and had to boot from a floppy and reinstall a bunch of stuff. Is that some sort of security device kicking in? If so, what is the best way of undoing the damage? Can anyone advise me about the best method of preventing this sort of thing? Thanks. Wes - To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e
participants (1)
-
wes@sophia.colorado.edu