[ale] passwd for root not working

Scott McBrien smcbrien at gmail.com
Tue Jan 5 18:38:41 EST 2010 

(1) Take the server off the network.
(2) copy any data that may be important on the machine
(3) *optional* replace the disk with another so you can analyze it later
(4) Reinstall the system
(5) apply all package updates
(6) put your data back on (though you might consider restoring it's  
state from backups made pre break in)

Likely you were targeted with with a scripted attack, but there's no  
way of knowing or EVERYTHING they've done to the machine in the  
meantime, at least not quickly.  Better to wipe it out and start fresh  
from known good binaries and data.  If you've pulled or images the  
borked systems disk you can attempt to analyze how the attacker  
exploited you.  But to start, all user account passwords should be set  
to something different on the replacement box, and anywhere you use  
the same root password should also be updated.

-Scott

On Jan 5, 2010, at 5:45 PM, Atlanta Geek <atlantageek at gmail.com> wrote:

> A machine that I was not in charge of seems to have been broken into
> over the weekend.
> I am trying to help the sysadmin.  However there seems to be some
> weird things going on when I try to lock the system down.
>
> 1. found that /var/log/secure was a directory and not a file.
> 2. when as root I type passwd I found that passwd command was missing.
> 3. copied passwd from another server.  When trying to set password we
> get the following:
>
> [root at localhost etc]# passwd
> Changing password for user root.
> New UNIX password:
> Retype new UNIX password:
> passwd: Authentication token manipulation error
>
>
> Here are some details about shadow and passwd files
>
> [root at localhost etc]# lsattr /etc/passwd
> ----i-------- /etc/passwd
> [root at localhost etc]# ls -altr passwd
> -rw-r--r-- 1 root root 1616 Feb 28  2009 passwd
> [root at localhost etc]# ls -altr shadow
> -r-------- 1 root root 954 Oct  1 08:42 shadow
> [root at localhost etc]# lsattr passwd
> ----i-------- passwd
> [root at localhost etc]# lsattr shadow
> ----i-------- shadow
>
>
>
> Any assistance would be appreciated.
>
> -- 
> http://www.atlantageek.com
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

More information about the Ale mailing list