From owner-freebsd-questions  Fri Mar 15 18:25:56 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id SAA20171
          for questions-outgoing; Fri, 15 Mar 1996 18:25:56 -0800 (PST)
Received: from soda.CSUA.Berkeley.EDU (soda.CSUA.Berkeley.EDU [128.32.43.52])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id SAA20166
          for <questions@FreeBSD.org>; Fri, 15 Mar 1996 18:25:54 -0800 (PST)
Received: (from richardc@localhost) by soda.CSUA.Berkeley.EDU (8.6.12/8.6.12) id SAA21258; Fri, 15 Mar 1996 18:25:24 -0800
Date: Fri, 15 Mar 1996 18:25:22 -0800 (PST)
From: Richard Chang <richardc@CSUA.Berkeley.EDU>
To: dwhite@resnet.uoregon.edu
cc: "Aaron D. Gifford" <agifford@infowest.com>, questions@FreeBSD.org
Subject: Re: Passwords
In-Reply-To: <Pine.BSF.3.91.960315174929.7867A-100000@riley-net170-164.uoregon.edu>
Message-ID: <Pine.PTX.3.91.960315182134.3376G-100000@soda.CSUA.Berkeley.EDU>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-questions@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

On Fri, 15 Mar 1996, Doug White wrote:

> On Fri, 15 Mar 1996, Aaron D. Gifford wrote:
> 
> > At 11:43 AM 3/15/96 -0800, you wrote:
> > >Hi there,
> > >
> > >	We are running a site that had security breakins and the hacker 
> > >managed to changed the root password and the edited both the /etc/passwd 
> > >and /etc/master.passwd file and deleted pretty much everything in it.  It 
> > >seems the pwd.db and spwd.db are the original ones since apparently the 
> > >person didn't use vipw on the DES encrypted system.  I was wondering if 
> > >there was a way to use the pwd.sb and spwd.db even if the encrypted passwd's
> > >in master.passwd don't match.... Thanks.
> > >
> > >Richard
> > >
> > 
> > Hi,
> > 
> > I've trashed my master.passwd file before, so I wrote me a perl script to
> > regenerate my master.passwd file from the spwd.db file.  It has worked for
> > me.  maybe it will work for you.
> 
> Also, backups (two of them) are kept in /var/backup, and they are diff'd 
> against the master files every night, so concievably you could reverse 
> diff from the mail message if it got to that point. 

	Hmmm, what happens if you can't get back into the system until 2
days later and they somehow changed the root password?

Richard