[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Re:[cobalt-developers] Re: Adduser/Passwd Locked/Newbie
- Subject: [cobalt-users] Re:[cobalt-developers] Re: Adduser/Passwd Locked/Newbie
- From: RaQ3 <cobalt@xxxxxxxxxxx>
- Date: Fri Mar 23 23:13:20 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
"Colm Brazel" <cbweb@xxxxxx> wrote on 23.03.01 13:16:33:
>I have a raq3 recently hacked to which an unhack script has been
>applied.
>
>However, at present I get the message 'cannot create [directory],
>directory $homedir already exists' or 'passwd' file is locked.
>Also cannot change my own root password on the server using GUI or ssh.
> Have tried the following from root
>chmod a+rwx /etc/passwd to give read/write/execute permissions on the
>passwd file, but get message 'operation not permitted'
>I am getting great help on this from another raq owner who has
>supplied an unhack script and remembers and is looking for
>a cobalt GUI/Adduser script that may fix this.
Hi Colm !
Unfortunately that does not sound very good :-(
The unhack script most probably just changes back the modified files
which an r00t kit changes. It depends on how much time there was
between the hack and your detection. If it had been more than a few
hours, maybe even days, then probably the attacker already used your
box and installed some more things - and he changed your password.
You should consider getting the restore CD and go for it.
In case you have it nearby, unplug it. If it is colocated you should
consider talking with these guys. Maybe your box will be used for
spamming or related shit, and guess who will be paying for the
bandwidth used ...
The message 'operation not permitted' means that the attacker
had changed some bits on the extended file system. You can
change it back with chattr. Take a look at it: 'man chattr' and
'man lsattr'.
Good luck !
Thomas
--
InternAd.de
Internet Advertising
Thomas Prosi
tp@xxxxxxxxxxx