Date: Fri, 15 Mar 1996 18:25:22 -0800 (PST) From: Richard Chang <richardc@CSUA.Berkeley.EDU> To: dwhite@resnet.uoregon.edu Cc: "Aaron D. Gifford" <agifford@infowest.com>, questions@FreeBSD.org Subject: Re: Passwords Message-ID: <Pine.PTX.3.91.960315182134.3376G-100000@soda.CSUA.Berkeley.EDU> In-Reply-To: <Pine.BSF.3.91.960315174929.7867A-100000@riley-net170-164.uoregon.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 15 Mar 1996, Doug White wrote: > On Fri, 15 Mar 1996, Aaron D. Gifford wrote: > > > At 11:43 AM 3/15/96 -0800, you wrote: > > >Hi there, > > > > > > We are running a site that had security breakins and the hacker > > >managed to changed the root password and the edited both the /etc/passwd > > >and /etc/master.passwd file and deleted pretty much everything in it. It > > >seems the pwd.db and spwd.db are the original ones since apparently the > > >person didn't use vipw on the DES encrypted system. I was wondering if > > >there was a way to use the pwd.sb and spwd.db even if the encrypted passwd's > > >in master.passwd don't match.... Thanks. > > > > > >Richard > > > > > > > Hi, > > > > I've trashed my master.passwd file before, so I wrote me a perl script to > > regenerate my master.passwd file from the spwd.db file. It has worked for > > me. maybe it will work for you. > > Also, backups (two of them) are kept in /var/backup, and they are diff'd > against the master files every night, so concievably you could reverse > diff from the mail message if it got to that point. Hmmm, what happens if you can't get back into the system until 2 days later and they somehow changed the root password? Richard
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.PTX.3.91.960315182134.3376G-100000>