[ale] passwd for root not working

[Jim Kinney]

Step 1 boot from a known clean CD and use the tools on it to clean up the
mess. At this point nothing on the compromised system is reliable.
Step 2 back off the data and configuration files.
Step 3 reinstall the OS. Do all security updates
Step 4 manually inspect ALL config files before reloading them

Step 5 verify all data files are NOT executable and especially NOT SUID
ROOT. Restore data files

Step 6 flog the sysadmin

On Jan 5, 2010 5:51 PM, "Atlanta Geek" <atlantageek at gmail.com> wrote:

A machine that I was not in charge of seems to have been broken into
over the weekend.
I am trying to help the sysadmin.  However there seems to be some
weird things going on when I try to lock the system down.

1. found that /var/log/secure was a directory and not a file.
2. when as root I type passwd I found that passwd command was missing.
3. copied passwd from another server.  When trying to set password we
get the following:

[root at localhost etc]# passwd
Changing password for user root.
New UNIX password:
Retype new UNIX password:
passwd: Authentication token manipulation error


Here are some details about shadow and passwd files

[root at localhost etc]# lsattr /etc/passwd
----i-------- /etc/passwd
[root at localhost etc]# ls -altr passwd
-rw-r--r-- 1 root root 1616 Feb 28  2009 passwd
[root at localhost etc]# ls -altr shadow
-r-------- 1 root root 954 Oct  1 08:42 shadow
[root at localhost etc]# lsattr passwd
----i-------- passwd
[root at localhost etc]# lsattr shadow
----i-------- shadow



Any assistance would be appreciated.

--
http://www.atlantageek.com
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20100105/9114b2ac/attachment.html