[ILUG-BOM] Login Problem Please help

Rajesh Deo rajeshdeo@[EMAIL-PROTECTED]
Thu Mar 6 21:25:38 IST 2003


On Thu, 6 Mar 2003, Kamal Matta wrote:

> thanks mr nath,
> but how come this would have been done ? if seems i don't have a choice but
> to reinstall and resetup. 

Yes, _if_ you system has really been cracked, it is advised to install the 
system from scratch again. So first figure that out, from you description 
of the problem, if syslog is not working, as it should, you may have a 
real problem at hand. So check first why it is not working. If you 
determined that your system has really been cracked, them everything below 
applies. ;)

> is it possible to reinstall the damaged area as
> reinstlling and resetup will be big problem for me.

Pain it will be, but to your advantage only. Many crackers will employ 
different tricks to re-establish control of a cracked system, which  
includes putting all sorts of trojan software on the system. Searching 
each one requires enough knowledge of the system and even then you can not 
completely guarantee that all security holes have been plugged on your 
system. So install from scratch and *** apply all the security updates 
released by RedHat ***. For this go to http://www.redhat.com/errata.

> i am using this server for NAT/RAS/DNS/DHCP/PROXY/WEB services. i am using
> ipchains and setted masq on ppp and eth1 ports to allow to use this box as
> gateway to some users as rest use proxy settings.

You might want to boot in single user mode and note down all the 
configuration changes for your servers. The same can then be applied to 
the new and patched installation. See the security FAQs / HOWTOs for each 
of the servers you use, and check if your setting are opening any obvious 
security holes.

For a good introduction to configuring security under Linux see this 
HOWTO, http://www.tldp.org/HOWTO/Security-HOWTO/index.html

> only recently we have started using cable internet and got one ip. could
> this has helped the hackers ? earlier we were using diapup connectivity. if
> possible please help me and tell as what precautions should i take to keep
> away the hackers.

A static IP only means that the intruder has more time to play around with 
a cracked machine, it is not that you will be safe on a dialup line, only 
that the chances of successful compromise are slightly less. Hence least 
you can do is to keep you system updated with security patches.
 
>  i will let u know what u have asked as right now my system is in use by
> users as rest everything is working except login. and see all details i have
> to boot it to linux single.
> 

The sooner the better, you don't want intruders running inside your lan
systems do you?

> ----- Original Message -----
> From: "Tapeshwar Nath" <gtapeshwar at yahoo.com>
> To: <linuxers at mm.ilug-bom.org.in>
> Sent: Thursday, March 06, 2003 4:27 PM
> Subject: Re: [ILUG-BOM] Login Problem Please help
> 

[snip]

> > It seems like your machine has been hacked ... and has
> > been played around with.
> > Can u check what glibc version you are using. and
> > whether it has been changed..., whether your mingetty
> > has been tampered with...Also check where your /bin/sh
> > points to...
> >
> > There are also standard softwares that come thru which
> > you  can check your system integrity. Try google
> > search...

Here is good one to find trojons and rootkits,
http://www.chkrootkit.org/

[snip]

HTH,
Rajesh

-- 
You can't cheat the phone company.





More information about the Linuxers mailing list