Date: Sat, 20 Jan 2001 00:45:26 -0600 (CST) From: Mike Meyer <mwm@mired.org> To: questions@freebsd.org Subject: Re: Request For Help Message-ID: <14953.13318.498222.83644@guru.mired.org> In-Reply-To: <26172295@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Bill Moran <wmoran@mail.iowna.com> types: > Greg Lehey wrote: > > > On Friday, 19 January 2001 at 5:46:23 -0600, Lakewebs wrote: > > > Hello > > > My name is Ronald Goad. As of last week I had a person that was > > > running or internet services dns and hosting. Both boxes are running > > > on FreeBSD. This individual left in the middle of the night after > > > changing all access passwords. Is there anyone who can assist me in > > > saving these systems. > > > > I'm forwarding this to FreeBSD-questions. Maybe there's somebody > > there who can help you. Greg - it's hard to make sure the original author gets the reply when we don't have his email address :-(. It may have been in the headers of the mail you sent, but the digester at FreeBSD doesn't forward those. > First: hunt down the jerk and kill him. > Second: reboot the system (CTL+ALT+DEL at the system console will > provoke a clean shutdown) as it's coming back up, watch for the > countdown, where it says "press enter to boot now or any other key ..." > Press any key other than ENTER before the countdown ends. > At the prompt, enter "boot -s" This will take you into single-user mode. > The system will ask you what shell to use, hit ENTER to accept the > default. > Now you'll be logged in as root (the system admin on a UN*X system). > Just enter the "passwd" command to change root's password. Then enter > reboot and allow the system to come back up into normal operating mode. > You'll now be able to log in as "root" using the new password you > created. There are three problems with this scenario: 1) All the file systems will be "dirty", and so won't mount. 2) / will be mounted read-only, so you can't change passwords. 3) The passwd command is on /usr, which may not be mounted. So before you can run the password command, you'll need to do: # fsck -p # mount -u / # mount -a -t ufs The first command cleans up the file systems, the second one mounts root read-write so you can change the password file, and the third one mounts all the unix file systems so you should have a password command. However, given the way the bozo left, I'd be tempted to do clean installs of *everything*, from distribution media. You don't know what traps the booby left, so you really need to do a new install. Since the sources & compiler aren't trustworthy(*), you should start from CD or floppies built on a system you know is clean. While the chances of a corrupt compiler and/or sup system are small, once you've decided to reinstall, going to clean media is a small step. *) Thompson published a paper describing a version of the Unix C compiler with two hacks: 1) it recognized a code pattern in login, and added a backdoor to it; 2) it recognized a code pattern in the compiler, and reinserted these hacks into the compiler. You could thus have a system with corrupt binaries and clean sources, but not be able to build clean binaries on it. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14953.13318.498222.83644>