topic Re: Intruder Alert in Operating System - HP-UX

Intruder Alert

Vikas Thorat — Thu, 04 Dec 2008 02:09:21 GMT

Hi Gurus,

I am facing problem with my HP-Unix 11.11
We are not able to login to server through telent nor with any other service.
We taken GSP console of the server and trying to resolve issue.

In the shell propmt i m getting this message :

[hostname:Intruder Alert.:dirname]>

Can you please, explain me why this "Intruder Alert." showing on this prompt????

Is there anyone hacked my system????

Appreciate your earliest response.

regards,

Vikas

Re: Intruder Alert

James R. Ferguson — Thu, 04 Dec 2008 02:32:19 GMT

Hi Vikas:

This error will occur if the '/etc/passwd' file doesn't have world-readable permissions. The permissions should be 444.

Regards!

...JRF...

Re: Intruder Alert

Vikas Thorat — Thu, 04 Dec 2008 11:54:08 GMT

Yeah that is very true James. My passwd file does not meet that criteria.

Thanks for your perfect answer.

Now, can you guide me what steps should we take to analyze and find why me and my all users not able to login into system?

According to me the possible issue is:
1) Deletion of root entry from /etc/passwd file.

What are other reasons to such problems?

If the root entry is get deleted what steps should I take to recover it when I am having only GSP / Console to connect remote HP-Unix server?

Please, guide me on this.

Re: Intruder Alert

James R. Ferguson — Thu, 04 Dec 2008 14:40:03 GMT

Hi (again) Vikas:

I'm sorry, I missed the part about neither root nor any users could log in.

If that's the case, boot your system into single-user mode. Examine and/or fix your '/etc/passwd'. If it is hopelessly corrupt, null or missing, mount '/usr' and copy '/usr/newconfig/etc/passwd' as '/etc/passwd'. This will provide a skeletal 'passwd' file like you would have following a cold-install. At that point you could boot normally and use your backup software to retrieve a good copy of your real '/etc/passwd'.

Regards!

...JRF...

Re: Intruder Alert

Ganesan R — Thu, 04 Dec 2008 14:52:34 GMT

Hi Vikas,

Is it authentication issue or telnet or any network services or not working?

If you are able to telnet/rlogin/ssh and authentication fails, then it could be password file issue. Try the James suggestion to recreate the password file.

If it is services issue you need to look into inetd.conf and /etc/services file.

Re: Intruder Alert

Vikas Thorat — Thu, 04 Dec 2008 15:15:14 GMT

Hi James,

Thank you very much. I followed the same steps only. Just wanted to check my steps are right or somewhere I missed anything. Your reply helped me to confirm all this thing.

Ganesan,

I checked inetd.conf and /etc/services and there was nothing changed or corrupt. After that I tried to execute "inetd -c" but this command too I m not able to execute. As you said it was password issue only. So, I resolved it as per James instructions.

Thank you all.

I just want to know one more thing is such problem occur due to change in nsswitch.conf file????

Re: Intruder Alert

Ganesan R — Thu, 04 Dec 2008 16:12:43 GMT

Hi Vikas,

If you modify the nsswitch.conf to refer other sources like NIS for login authentication, and not specified to refer local /etc/hosts when NIS authentication fails, then users will not be able to login.

But this will not corrupt /etc/passwd file happened in your case

Re: Intruder Alert

Vikas Thorat — Fri, 05 Dec 2008 14:01:25 GMT

Hi All,

Thanks for your great co-operation and help for solving my queries.

Ganesan thanks for your right answer.

regards,

Vikas Thorat.