https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504109#M745071 George,<BR />Have a GOOD look at your /etc/passwd file<BR />From the symptoms, it sounds like it's either been deleted or nullified. At the very least, some users (including root) have been removed from it.<BR /><BR />I assume you must have an old root session logged on since before this happened. Don't log off until you have recovered the passwd file.<BR />Obviously, also check what other files may be missing/compromised.<BR />Good luck Mon, 14 Mar 2005 11:35:31 GMT Gordon Morrison 2005-03-14T11:35:31Z https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504106#M745068 Hi it seems as if someone has been playing on one of my backup servers over the weekend.<BR /><BR />logged in as root and received intruder alert at the prompt and root seems to have lost a lot of its permissions.<BR /><BR />Whoami for any user bring up this intruder alert userid.<BR /><BR />the userid isnt in the passwd file and root's .profile has not been changed.<BR /><BR />I've took the server off the lan and checked the yslog and sulog but nothing of any use in there (this is an untrusted v11 system)<BR /><BR />Any ideas on where i start on this.<BR /><BR />Cheers<BR /><BR />George Mon, 14 Mar 2005 11:26:52 GMT https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504106#M745068 George_Dodds 2005-03-14T11:26:52Z https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504107#M745069 Check the permissions on your /etc/passwd file and the permissions on all other files. You could try swverify to check.<BR /><BR />/etc/passwd permissions should be 444 (-r--r--r--) and if it is not you can see error messages similar to what you are seeing. Mon, 14 Mar 2005 11:33:35 GMT https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504107#M745069 Patrick Wallek 2005-03-14T11:33:35Z https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504108#M745070 This generally means that the password file is goofed up because some needed user id isn't in the /etc/password file.<BR /><BR />Check permissions of /etc and /etc/password and overall password file (i.e. copy it onto system from a backup).<BR /><BR /> Mon, 14 Mar 2005 11:34:39 GMT https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504108#M745070 Kent Ostby 2005-03-14T11:34:39Z https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504109#M745071 George,<BR />Have a GOOD look at your /etc/passwd file<BR />From the symptoms, it sounds like it's either been deleted or nullified. At the very least, some users (including root) have been removed from it.<BR /><BR />I assume you must have an old root session logged on since before this happened. Don't log off until you have recovered the passwd file.<BR />Obviously, also check what other files may be missing/compromised.<BR />Good luck Mon, 14 Mar 2005 11:35:31 GMT https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504109#M745071 Gordon Morrison 2005-03-14T11:35:31Z https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504110#M745072 passwd file permissions are 444 Mon, 14 Mar 2005 11:52:54 GMT https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504110#M745072 George_Dodds 2005-03-14T11:52:54Z https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504111#M745073 On an 11.00 system a false alarm can be triggered by the root filesystem getting full.<BR /><BR />That can compress /etc/group or /etc/passwd to zero bytes. <BR /><BR />Its also possible someone has been playing.<BR /><BR />I'd recommend a thorough check of the system, including a scan for back doors.<BR /><BR />A back door can be a copy of the shell with suid set on it. Consultants and miscreants commonly set such trapdoors so they can get in again in the future.<BR /><BR />I'd also recommend a commerical program called tripwire.<BR /><BR />It monitors binaries and configuration and can alert you of unauthorized changes. Hackers will often substitute their own programs for normal commands. Their programs will install back doors and do all kinds of bad things.<BR /><BR />Finally, I'd get Bastille onto this system and harden it.<BR /><BR />SEP Mon, 14 Mar 2005 11:59:32 GMT https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504111#M745073 Steven E. Protter 2005-03-14T11:59:32Z https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504112#M745074 George .. you need to also check the permissions of / and /etc as well as viewing the file via more or cat to see if it looks "reasonable".<BR /><BR /> Mon, 14 Mar 2005 12:07:36 GMT https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504112#M745074 Kent Ostby 2005-03-14T12:07:36Z https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504113#M745075 Had a similar problem in a past life when someone edited /etc/passwd and had some difficulty remembering how to get out. Kinda obvious since the first line started with ":qot:0:". Since then, I've put a dummy user as the first line in all my /etc/passwd files so the root entry won't get clobbered in a case like this. <BR />Yeah, Yeah, I know he should have used "vipw" but sometimes it's hard to protect against managers that insist on showing off their "vo skills". 8-) Mon, 14 Mar 2005 13:24:12 GMT https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504113#M745075 S.Rider 2005-03-14T13:24:12Z https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504114#M745076 Right there is a possibility that the root permissions problem could be down to a duff passwd synching script on another server.<BR /><BR />But i cant explain the root prompt change and the response from whoami for all users.<BR /><BR />The exact prompt is <BR /><BR />Intruder Alert.@servername<BR /><BR />There is an old version of tripwire on this server but i havent read anything that says it would throw up an alert in this way.<BR /><BR />With a bit of luck it may just be down to a duff script but i'm using it as an excuse to moved to a more secure setup. <BR /><BR />Any ideas on the prompt issue?<BR /><BR />Ta<BR /><BR />George Tue, 15 Mar 2005 03:22:51 GMT https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504114#M745076 George_Dodds 2005-03-15T03:22:51Z https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504115#M745077 Hi,<BR /><BR />Document id: BH9104032020<BR /><A href="http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&amp;docId=200000007949869" target="_blank">http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&amp;docId=200000007949869</A><BR />(ancient document, I know)<BR />but it states that a system under certain circumstances of changed file permissions may display "Intruder alert" instead of the user's name. Perhaps the .profile could be responsible for the rest of the prompt.<BR /> <BR /><BR />regards,<BR />John K.<BR /><BR /> Tue, 15 Mar 2005 03:47:25 GMT https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504115#M745077 john korterman 2005-03-15T03:47:25Z https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504116#M745078 Figured it out, the script that updates the passwords from 1 server to the affected server for some reason put a blank line at the top of the passwd file.<BR /><BR />As soon as this is done the kernel must spit out the intruder alert warning at the prompt.<BR /><BR />I deleted the blank line and all is back to normal.<BR /><BR />At least i learnt something new today :) Tue, 15 Mar 2005 06:07:21 GMT https://community.hpe.com/t5/operating-system-hp-ux/server-compromised/m-p/3504116#M745078 George_Dodds 2005-03-15T06:07:21Z