cancel
Showing results for 
Search instead for 
Did you mean: 

Intruder Alert

 
SOLVED
Go to solution
Vikas Thorat
Advisor

Intruder Alert

Hi Gurus,

I am facing problem with my HP-Unix 11.11
We are not able to login to server through telent nor with any other service.
We taken GSP console of the server and trying to resolve issue.

In the shell propmt i m getting this message :

[hostname:Intruder Alert.:dirname]>

Can you please, explain me why this "Intruder Alert." showing on this prompt????

Is there anyone hacked my system????

Appreciate your earliest response.

regards,

Vikas
Success is not a Permanent & Failure is not Final! So,Never Stop Working after Success & Never Stop Trying after Failure!
7 REPLIES
James R. Ferguson
Acclaimed Contributor
Solution

Re: Intruder Alert

Hi Vikas:

This error will occur if the '/etc/passwd' file doesn't have world-readable permissions. The permissions should be 444.

Regards!

...JRF...
Vikas Thorat
Advisor

Re: Intruder Alert

Yeah that is very true James. My passwd file does not meet that criteria.

Thanks for your perfect answer.

Now, can you guide me what steps should we take to analyze and find why me and my all users not able to login into system?

According to me the possible issue is:
1) Deletion of root entry from /etc/passwd file.

What are other reasons to such problems?

If the root entry is get deleted what steps should I take to recover it when I am having only GSP / Console to connect remote HP-Unix server?

Please, guide me on this.
Success is not a Permanent & Failure is not Final! So,Never Stop Working after Success & Never Stop Trying after Failure!
James R. Ferguson
Acclaimed Contributor

Re: Intruder Alert

Hi (again) Vikas:

I'm sorry, I missed the part about neither root nor any users could log in.

If that's the case, boot your system into single-user mode. Examine and/or fix your '/etc/passwd'. If it is hopelessly corrupt, null or missing, mount '/usr' and copy '/usr/newconfig/etc/passwd' as '/etc/passwd'. This will provide a skeletal 'passwd' file like you would have following a cold-install. At that point you could boot normally and use your backup software to retrieve a good copy of your real '/etc/passwd'.

Regards!

...JRF...
Ganesan R
Honored Contributor

Re: Intruder Alert

Hi Vikas,

Is it authentication issue or telnet or any network services or not working?

If you are able to telnet/rlogin/ssh and authentication fails, then it could be password file issue. Try the James suggestion to recreate the password file.

If it is services issue you need to look into inetd.conf and /etc/services file.

Best wishes,

Ganesh.
Vikas Thorat
Advisor

Re: Intruder Alert

Hi James,

Thank you very much. I followed the same steps only. Just wanted to check my steps are right or somewhere I missed anything. Your reply helped me to confirm all this thing.

Ganesan,

I checked inetd.conf and /etc/services and there was nothing changed or corrupt. After that I tried to execute "inetd -c" but this command too I m not able to execute. As you said it was password issue only. So, I resolved it as per James instructions.

Thank you all.

I just want to know one more thing is such problem occur due to change in nsswitch.conf file????
Success is not a Permanent & Failure is not Final! So,Never Stop Working after Success & Never Stop Trying after Failure!
Ganesan R
Honored Contributor

Re: Intruder Alert

Hi Vikas,

If you modify the nsswitch.conf to refer other sources like NIS for login authentication, and not specified to refer local /etc/hosts when NIS authentication fails, then users will not be able to login.

But this will not corrupt /etc/passwd file happened in your case
Best wishes,

Ganesh.
Vikas Thorat
Advisor

Re: Intruder Alert

Hi All,

Thanks for your great co-operation and help for solving my queries.

Ganesan thanks for your right answer.

regards,

Vikas Thorat.
Success is not a Permanent & Failure is not Final! So,Never Stop Working after Success & Never Stop Trying after Failure!