topic Re: Intruder Alert in Operating System - HP-UX

Intruder Alert

Edward J. Duranty_2 — Wed, 06 Jun 2001 19:01:43 GMT

I have a question concerning security using HP-UX 10.20. A user logged in and his prompt name had changed from the "systemname/username" to "systemname.Intruder.alert". It seems as if we have been hacked. Can anyone give me infomation on this message, as well as possibly issues that can cause this? Thanks!

Re: Intruder Alert

John Poff — Wed, 06 Jun 2001 19:07:45 GMT

Hi,

I got this once a while back. I think it was the permissions on the /etc/passwd and/or /etc/group files. Make sure they are world-readable. If they are ok, you might try running pwck to check the password file for any problems.

JP

Re: Intruder Alert

John Poff — Wed, 06 Jun 2001 20:12:38 GMT

Edward,

Now I remember. I've had this problem before when somehow the /etc/passwd file lost read permissions for the world. The 'whoami' command will return 'Intruder alert' when that happens.

In our case, we were using 'whoami' to put the user name into the shell prompt, so everyone who logged in got the 'Intruder alert' message as part of their shell prompt. It's kind of scary when it happens but it is easy to fix.

JP

Re: Intruder Alert

Jens Ebert — Thu, 07 Jun 2001 08:48:45 GMT

We got the same after creating a recovery tape with ignite in single-user mode (multiuser is recommended though) and rebuilding the system with this tape. After changing the permissions as described above, it worked.