[linux-help] Re: Cannot log on to the machine.

[Jeff Vian <jvian10@xxxxxxxx>]

adithya wrote:
> 
> HI Fellows,
> I even tried to go to single user mode and check but nothing seems to work 
> out with it I can't just login
> what can I actually do once I go to the single user mode?
> Are there anything that you know I must do other than reinstalling?
> regds,
> Sudharsha.
> 
> -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi

If you boot in single user mode you do not have to log in, it gives you
a root shell.
As I said earlier, this sounds like a hack.  You can do some looking
around for files with different sizes/dates/ownership but it may be hard
to find everything that has been changed.
You can also look for changes in boot scripts and processes that should
not be running.

On mine, they replaced login with a trojan/hacked version that did not
allow anyone
to log in, and put in some other things that gave them a python shell at
their request from remotely.  They also were able to get a directory
containing their scripts to be invisible to the ls command when run in
the dir where it lived. ( a hacked version of ls was installed. )

I saw the same message with ctl-alt-del as well.   And the only sure way
to fix it was to reload the system from scratch. That way no compromised
files remain on the system.

Since then I have tightened security a LOT on my firewall - linux box
and have so far avoided a repeat.

I would suggest that you reload as soon as possible. (Look at
/var/log/messages before reinstalling to see if there are any hints to
how it was done.)  After reloading make sure you fix all the security
holes that are known for the version of linux you are running and
consider running tripwire and portsentry to help. Maybe other things are
out there that will help as well.

Hope these pointers help.
Jeff
-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi