HPE Community
Operating System - HP-UX
1829136 Members
2860 Online
109986 Solutions
New Discussion

/etc/passwd file deleted automatically

 
SOLVED
Go to solution
josinjosek
Advisor

‎10-15-2009 01:19 AM

‎10-15-2009 01:19 AM

/etc/passwd file deleted automatically

Hi,

my /etc/passwd file automatically deleted. Could you please help me to find out the reason for that.

Regards,
Josin.
0 Kudos
Reply
9 REPLIES 9
Horia Chirculescu
Honored Contributor

‎10-15-2009 01:28 AM

‎10-15-2009 01:28 AM

Re: /etc/passwd file deleted automatically

"automatically deleted"?!

Are you sure that you are not under some kind of attack? Is this server part of some secure network? Maybe someone has gained access to your system.

Anyway, you should be able to restore that file from backup if you still have access to the system.

Best regards from Romania,
Horia Chirculescu
Best regards from Romania,
Horia.
0 Kudos
Reply
Kanagaraj
Regular Advisor

‎10-15-2009 01:37 AM

‎10-15-2009 01:37 AM

Re: /etc/passwd file deleted automatically

/etc/passwd file deleted ?? The server is in very dangerous zone.

First block root direct login remotely and change root password of the server.

use ssh login and also check the root previleged users. (given sudo permissions).

Try to restore the /etc/passwd file and check the /var/adm/syslog/syslog.log file.You will get logs.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎10-15-2009 02:00 AM

‎10-15-2009 02:00 AM

Solution

Re: /etc/passwd file deleted automatically

>my /etc/passwd file automatically deleted.

("Automatically" has the wrong English connotation here, perhaps "unexpectedly" is better.)

Did you run of of space in /tmp/ recently? Were you using vipw(1m)?
Has it occurred more than once?
Reply
josinjosek
Advisor

‎10-16-2009 03:40 AM

‎10-16-2009 03:40 AM

Re: /etc/passwd file deleted automatically

HI ,

Thanks for your support. I copied the passwd file from the backup, server is up and working fine.Is there any method to find out how its deleted ?
0 Kudos
Reply
TTr
Honored Contributor

‎10-16-2009 04:04 AM

‎10-16-2009 04:04 AM

Re: /etc/passwd file deleted automatically

You did not answer the question above if /tmp filled up while the /etc/passwd file was being edited by vipw. Other than that explanation, the passwd file may have been deleted by mistake by the root user. If you have enabled the command history look in the history file (/.sh_history). Otherwise you can not find out how it got deleted unless you have system accounting enabled (in most cases system accounting is not running)
0 Kudos
Reply
Hakki Aydin Ucar
Honored Contributor

‎10-16-2009 04:15 AM

‎10-16-2009 04:15 AM

Re: /etc/passwd file deleted automatically

Probably there are lots of methods to find, but in native HP UX it is not easy, what I remember is that Host IDS of HP-UX intrusion detection tool, it is free of charge and very good tool to establish what is going on your system files who is tampering them ?

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS

the second alternative very simple ,I use nowadays ,a perl script somebody wrote to Watching Files for Changes but it only gets timestamp for changed file that you monitor not user or reason data:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1377980
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎10-16-2009 04:28 AM

‎10-16-2009 04:28 AM

Re: /etc/passwd file deleted automatically

Shalom Josin,

Only one user, root, numeric user id zero can delete /etc/passwd

Things to check.

root keyboard log. In root home directory .sh_history

scripts in cron schedule
crontab -l
# check the scripts.

Do you have an Ignite backup of your system?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Roberto Arias
Valued Contributor

‎10-20-2009 04:50 AM

‎10-20-2009 04:50 AM

Re: /etc/passwd file deleted automatically

hello , my english is very bad, I write in spanish ( my apologies)

Si editas el /etc/passwd sin vipw el fichero no se bloquea por lo que si el / o el /tmp estan el 100% o lo alcanzan en ese momento , o desde otra sesion de root se edita el /etc/passwd , te puede dejar el fichero vacio.

si editas el /etc/passwd con vipw , se bloquea contra escritura hasta que se termine la primera sesion de vipw.

conclusion: The /etc/passwd file must be edited with vipw in all cases , never edit this file with vi (man vipw)
best regards
The man is your friend
0 Kudos
Reply
Kapil Jha
Honored Contributor

‎10-20-2009 05:02 AM

‎10-20-2009 05:02 AM

Re: /etc/passwd file deleted automatically

hahahahah I am sorry for that :)

its better if u can use google language converter it would have helped.
----------
Usted tiene razón hay que tener cuidado de modificar el archivo passwd con vipw, pero la pregunta es por eso que usted necesita para editarlo.

Y si todavía creo que se ha eliminado accedently, usted tiene que cavar más por qué sucedió.

BR,
Kapil +
-----------

I know lil spanish :).No points for this please.
I am in this small bowl, I wane see the real world......
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.