From owner-freebsd-questions Fri Jan 19 22:45:45 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186]) by hub.freebsd.org (Postfix) with SMTP id B9BC737B400 for ; Fri, 19 Jan 2001 22:45:27 -0800 (PST) Received: (qmail 74828 invoked by uid 100); 20 Jan 2001 06:45:26 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14953.13318.498222.83644@guru.mired.org> Date: Sat, 20 Jan 2001 00:45:26 -0600 (CST) To: questions@freebsd.org Subject: Re: Request For Help In-Reply-To: <26172295@toto.iv> X-Mailer: VM 6.75 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Bill Moran types: > Greg Lehey wrote: >  > > On Friday, 19 January 2001 at 5:46:23 -0600, Lakewebs wrote: > > > Hello > > > My name is Ronald Goad. As of last week I had a person that was > > > running or internet services dns and hosting. Both boxes are running > > > on FreeBSD. This individual left in the middle of the night after > > > changing all access passwords. Is there anyone who can assist me in > > > saving these systems. > > > > I'm forwarding this to FreeBSD-questions. Maybe there's somebody > > there who can help you. Greg - it's hard to make sure the original author gets the reply when we don't have his email address :-(. It may have been in the headers of the mail you sent, but the digester at FreeBSD doesn't forward those. > First: hunt down the jerk and kill him. > Second: reboot the system (CTL+ALT+DEL at the system console will > provoke a clean shutdown) as it's coming back up, watch for the > countdown, where it says "press enter to boot now or any other key ..." > Press any key other than ENTER before the countdown ends. > At the prompt, enter "boot -s" This will take you into single-user mode. > The system will ask you what shell to use, hit ENTER to accept the > default. > Now you'll be logged in as root (the system admin on a UN*X system). > Just enter the "passwd" command to change root's password. Then enter > reboot and allow the system to come back up into normal operating mode. > You'll now be able to log in as "root" using the new password you > created. There are three problems with this scenario: 1) All the file systems will be "dirty", and so won't mount. 2) / will be mounted read-only, so you can't change passwords. 3) The passwd command is on /usr, which may not be mounted. So before you can run the password command, you'll need to do: # fsck -p # mount -u / # mount -a -t ufs The first command cleans up the file systems, the second one mounts root read-write so you can change the password file, and the third one mounts all the unix file systems so you should have a password command. However, given the way the bozo left, I'd be tempted to do clean installs of *everything*, from distribution media. You don't know what traps the booby left, so you really need to do a new install. Since the sources & compiler aren't trustworthy(*), you should start from CD or floppies built on a system you know is clean. While the chances of a corrupt compiler and/or sup system are small, once you've decided to reinstall, going to clean media is a small step. *) Thompson published a paper describing a version of the Unix C compiler with two hacks: 1) it recognized a code pattern in login, and added a backdoor to it; 2) it recognized a code pattern in the compiler, and reinserted these hacks into the compiler. You could thus have a system with corrupt binaries and clean sources, but not be able to build clean binaries on it. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message