rlm@ceres.physics.uiowa.edu (11/20/90)
HELP!
Someone (a hacker I suppose) has changed the root password on our ESIX system
- is it possible to access the system to reset this?
Robert Mutel
Department of Physics and Astronomy
University of Iowa
Iowa City, IA 52242
==============================================================================
Phone: (319) 335-1950 | TWX: 910-525-1398
SPAN: 7230::RLM (CERES) | Bitnet: rlm%iowa.Physics.UIowa.Edu@CUNYVM
HEPnet: 47588::RLM (IOWA) | Internet: rlm@iowa.Physics.UIowa.Edu
==============================================================================
darcy@druid.uucp (D'Arcy J.M. Cain) (11/22/90)
In article <1990Nov20.094505.896@ceres.physics.uiowa.edu> rlm@ceres writes: >Someone (a hacker I suppose) has changed the root password on our ESIX system >- is it possible to access the system to reset this? Resume breathing, it can be done. Reboot from your distribution floppies. When you see the following; strike <ENTER> to install the ESIX System on your hard disk. take a deep breath and press enter. It won't wipe out your system. If you have an existing system (as you obviously do) you will see the following: You may select a quick recovery procedure ... ... (Strike y (quick recovery) or n (skip) followed by ENTER) If you say yes to this a whole bunch of files will be moved to ones called <basename>.SAV. A list will be displayed for you. Now reboot from the fixed disk and login as root with no password. At this point do not pass go, do not collect $200 but go straight to /etc and remove the root password from the old shadow file and restore the two files. Run Passwd to give root back its old password. Now you have the task of finding the security leak and plugging it before this happens again. A good start is the Cops program which finds a lot of the more obvious stuff. Good luck. -- D'Arcy J.M. Cain (darcy@druid) | D'Arcy Cain Consulting | I support gun control. West Hill, Ontario, Canada | Let's start with the government! + 416 281 6094 |
kjh@pollux.usc.edu (Kenneth J. Hendrickson) (11/25/90)
In article <1990Nov20.094505.896@ceres.physics.uiowa.edu> rlm@ceres.physics.uiowa.edu writes: >Someone (a hacker I suppose) has changed the root password on our ESIX system >- is it possible to access the system to reset this? I HOPE NOT. If there is, then all ESIX systems are terribly insecure. I hope you have to have each user backup their stuff, and re-load the OS off of the original disks and/or tapes. I hope this not to wish you a terrible lot of work, but because I am thinking about ESIX, and I wouldn't want such an insecure system. In addition, how do we know that you aren't some hacker trying to compromise some ESIX system? :-) -- favourite oxymorons: student athlete, honest politician, civil war Ken Hendrickson N8DGN/6 kjh@usc.edu ...!uunet!usc!pollux!kjh
davidsen@sixhub.UUCP (Wm E. Davidsen Jr) (11/26/90)
In article <28378@usc> kjh@pollux.usc.edu (Kenneth J. Hendrickson) writes: | In article <1990Nov20.094505.896@ceres.physics.uiowa.edu> rlm@ceres.physics.uiowa.edu writes: | >Someone (a hacker I suppose) has changed the root password on our ESIX system | >- is it possible to access the system to reset this? | | I HOPE NOT. If there is, then all ESIX systems are terribly insecure. Any system in which you have no physical security is insecure. Is there a version of UNIX which doesn't allow you to mount the root partition and change the appropriate files? A doubt a hacker, I bet someone just forgot their password. -- bill davidsen - davidsen@sixhub.uucp (uunet!crdgw1!sixhub!davidsen) sysop *IX BBS and Public Access UNIX moderator of comp.binaries.ibm.pc and 80386 mailing list "Stupidity, like virtue, is its own reward" -me
david@twg.com (David S. Herron) (11/27/90)
In article <28378@usc> kjh@pollux.usc.edu (Kenneth J. Hendrickson) writes: >In article <1990Nov20.094505.896@ceres.physics.uiowa.edu> rlm@ceres.physics.uiowa.edu writes: >>Someone (a hacker I suppose) has changed the root password on our ESIX system >>- is it possible to access the system to reset this? > >I HOPE NOT. If there is, then all ESIX systems are terribly insecure. >I hope you have to have each user backup their stuff, and re-load the OS >off of the original disks and/or tapes. I hope this not to wish you a >terrible lot of work, but because I am thinking about ESIX, and I >wouldn't want such an insecure system. Now now now.. calm down. For eons and eons (maybe since even the Epoch (1-Jan-70)) there have been numerous ways of getting priveledged access to systems if you have physical access. Sometimes with the help of the distribution media. On Vaxen you'd press BREAK (or sometimes ^P) and then some variant of the "b" (or boot) command will bring you to "single user". (single-user means you have a "root shell" which is the only thing running in the system) On Sun's you press L1-A and then "b -s" and you again go to single-user. On most SysV's I'm familiar with you take the first floppy from the distribution set (the boot floppy) & boot it. Then during the initial messages you hit the interrupt character (DEL usually..) and you're dropped to a single-user shell. All this is documented in the relavent manuals &so I don't see that it's any great security risk to let the information out. Besides, if someone has physical access to your system they could do something as "gross" as taking the physical machine somewhere so that they can play with it at their leisure. This is one of the reasons why I don't understand wanting to have *computers* on each desk ... -- <- David Herron, an MMDF & WIN/MHS guy, <david@twg.com> <- Formerly: David Herron -- NonResident E-Mail Hack <david@ms.uky.edu> <- <- Use the force Wes!
ralfi@pemstgt.PEM-Stuttgart.de (Ralf Holighaus) (11/28/90)
kjh@pollux.usc.edu (Kenneth J. Hendrickson) writes: >In article <1990Nov20.094505.896@ceres.physics.uiowa.edu> rlm@ceres.physics.uiowa.edu writes: >>Someone (a hacker I suppose) has changed the root password on our ESIX system >>- is it possible to access the system to reset this? >I HOPE NOT. If there is, then all ESIX systems are terribly insecure. >I hope you have to have each user backup their stuff, and re-load the OS >off of the original disks and/or tapes. I hope this not to wish you a >terrible lot of work, but because I am thinking about ESIX, and I >wouldn't want such an insecure system. >In addition, how do we know that you aren't some hacker trying to >compromise some ESIX system? :-) >-- Actually, I think there might be the same possibility as on a SCO system: Maybe you have an Emergency Boot Disk. Use this disk to bood, mount the filesystem of the hard disk and modify /etc/passwd there to remove the password entry of root. Then boot off the hard disk and enter a new passwd immediately for root. Rgds Ralf Holighaus -- Programmentwicklung fuer Microcomputer | Ralf U. Holighaus PO-Box 810165 Vaihinger Strasse 49 | >> PEM Support << D-7000 Stuttgart 80 West Germany | holighaus@pemstgt.PEM-Stuttgart.de VOICE: x49-711-713045 FAX: x49-721-713047 | ..!unido!pemstgt!ralfi
ignatz@chinet.chi.il.us (Dave Ihnat) (11/29/90)
This is relatively late for this person, but it may help someone else... You *don't* need to go to the trouble of having it rename all your files, etc. Bring up the floppy-based first disk, break (as mentioned by one other person), and you've a "tail-wagging-dog" situation, with the floppy-booted Unix running and the hard disk waiting in the wings. Mount your hard disk--the boot floppy will have that command--then use your favorite editor from your hard disk to delete the password from the hard disk copy of /etc/passwd (or /etc/shadow!). Then reboot and reset the root password... -Dave Ihnat Analysts International Corp. ignatz@homebru.chi.il.us
jon@hitachi.uucp (Jon Ryshpan) (12/04/90)
In article <1990Nov29.004739.6162@chinet.chi.il.us> ignatz@chinet.chi.il.us (Dave Ihnat) writes: >You *don't* need to go to the trouble of having it rename all your >files, etc. Bring up the floppy-based first disk, break (as mentioned >by one other person), and you've a "tail-wagging-dog" situation, with >the floppy-booted Unix running and the hard disk waiting in the wings. >Mount your hard disk--the boot floppy will have that command--then use >your favorite editor from your hard disk to delete the password from >the hard disk copy of /etc/passwd (or /etc/shadow!). Then reboot and >reset the root password... You will probably also have to run fsck on whatever partitions you want to mount. Fsck should also be on the boot floppy. Any system that is not *physically* secure is not secure. As a last resort the "bad guy" can take out the hard disk and install it in another system. Jonathan Ryshpan <...!uunet!hitachi!jon>
alex@bma35b.ma02.bull.com (Alex Bottonelli @Bull Italia FLM Newton Mass. USA) (12/07/90)
In article <28378@usc>, kjh@pollux.usc.edu (Kenneth J. Hendrickson) writes: > In article <1990Nov20.094505.896@ceres.physics.uiowa.edu> rlm@ceres.physics.uiowa.edu writes: > >Someone (a hacker I suppose) has changed the root password on our ESIX system > >- is it possible to access the system to reset this? > > I HOPE NOT. If there is, then all ESIX systems are terribly insecure. > ... > ... > In addition, how do we know that you aren't some hacker trying to > compromise some ESIX system? :-) > Well if you are not an hacker and you have physical access to the machine, all unix systems I have played with, so far, can boot a minimal unix kernel from floppy. If you can do that, you can mount the hard disk root partition, say under /mnt and do: # /mnt/bin/ed /mnt/etc/passwd *blank out the password field for root* *reboot from hard disk* *immediately reassign a known password to root* Easy, isn't it? ____ ___ || Alessandro Bottonelli / / / / |/ || Bull Hn Italia /---/ / /--- / || 141 Needham St. - Ms 213 / / /___ /___ /| || Tel. xx1-617-552-6471 _____________________) || Fax. xx1-617-552-5318 || Net. ..!uunet!hbiso!bma35b!alex