This workstation compromised... Not sure how, but...
Giles Orr
gilesorr-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Mon Nov 20 13:53:02 UTC 2006
On 11/15/06, Scott Elcomb <psema4-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> I'm certainly open to any ideas. Here's what I know so far:
>
> #1 - On boot, non-root user id/passwd that has been in use for > 1
> year is not working.
>
> #2 - Using a virtual console, login as root and running passwd for the
> workstation id, changed passwd for workstation id.
>
> #3 - New password does _not_ work for associated id.
>
> #4 - New password _does work_ for root.
>
> I am assuming this workstation is compromised, and until resolved I
> will be using other hardware(s) available to me. Any suggestions,
> ideas, thoughts would be welcome. I really don't know how (!?!) this
> workstation could have been influenced by outside forces since I'm
> fairly certain of the integrity of at least 3 layers of security
> between this workstation and the internet. This includes firewall's
> and routers.
Disclaimer: I am NOT a security expert.
Boot from a live CD, establish an internet connection. Download the
passwd executable for your original distro (make sure you fetch the
exact same version, or better yet get it off a distro CD if you have
it). Do an md5sum on both the original and the newly retrieved
version. This won't tell you how your system was compromised, but
should at least tell you if passwd has been corrupted.
--
Giles
http://www.gilesorr.com/
gilesorr-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list