HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

/etc/passwd file deleted automatically

 
SOLVED
Go to solution
josinjosek
Advisor

/etc/passwd file deleted automatically

Hi,

my /etc/passwd file automatically deleted. Could you please help me to find out the reason for that.

Regards,
Josin.
9 REPLIES
Horia Chirculescu
Honored Contributor

Re: /etc/passwd file deleted automatically

"automatically deleted"?!

Are you sure that you are not under some kind of attack? Is this server part of some secure network? Maybe someone has gained access to your system.

Anyway, you should be able to restore that file from backup if you still have access to the system.

Best regards from Romania,
Horia Chirculescu
Best regards from Romania,
Horia.
Kanagaraj
Regular Advisor

Re: /etc/passwd file deleted automatically

/etc/passwd file deleted ?? The server is in very dangerous zone.

First block root direct login remotely and change root password of the server.

use ssh login and also check the root previleged users. (given sudo permissions).

Try to restore the /etc/passwd file and check the /var/adm/syslog/syslog.log file.You will get logs.
Solution

Re: /etc/passwd file deleted automatically

>my /etc/passwd file automatically deleted.

("Automatically" has the wrong English connotation here, perhaps "unexpectedly" is better.)

Did you run of of space in /tmp/ recently? Were you using vipw(1m)?
Has it occurred more than once?
josinjosek
Advisor

Re: /etc/passwd file deleted automatically

HI ,

Thanks for your support. I copied the passwd file from the backup, server is up and working fine.Is there any method to find out how its deleted ?
TTr
Honored Contributor

Re: /etc/passwd file deleted automatically

You did not answer the question above if /tmp filled up while the /etc/passwd file was being edited by vipw. Other than that explanation, the passwd file may have been deleted by mistake by the root user. If you have enabled the command history look in the history file (/.sh_history). Otherwise you can not find out how it got deleted unless you have system accounting enabled (in most cases system accounting is not running)
Hakki Aydin Ucar
Honored Contributor

Re: /etc/passwd file deleted automatically

Probably there are lots of methods to find, but in native HP UX it is not easy, what I remember is that Host IDS of HP-UX intrusion detection tool, it is free of charge and very good tool to establish what is going on your system files who is tampering them ?

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS

the second alternative very simple ,I use nowadays ,a perl script somebody wrote to Watching Files for Changes but it only gets timestamp for changed file that you monitor not user or reason data:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1377980
Steven E. Protter
Exalted Contributor

Re: /etc/passwd file deleted automatically

Shalom Josin,

Only one user, root, numeric user id zero can delete /etc/passwd

Things to check.

root keyboard log. In root home directory .sh_history

scripts in cron schedule
crontab -l
# check the scripts.

Do you have an Ignite backup of your system?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Roberto Arias
Valued Contributor

Re: /etc/passwd file deleted automatically

hello , my english is very bad, I write in spanish ( my apologies)

Si editas el /etc/passwd sin vipw el fichero no se bloquea por lo que si el / o el /tmp estan el 100% o lo alcanzan en ese momento , o desde otra sesion de root se edita el /etc/passwd , te puede dejar el fichero vacio.

si editas el /etc/passwd con vipw , se bloquea contra escritura hasta que se termine la primera sesion de vipw.

conclusion: The /etc/passwd file must be edited with vipw in all cases , never edit this file with vi (man vipw)
best regards
The man is your friend
Kapil Jha
Honored Contributor

Re: /etc/passwd file deleted automatically

hahahahah I am sorry for that :)

its better if u can use google language converter it would have helped.
----------
Usted tiene razón hay que tener cuidado de modificar el archivo passwd con vipw, pero la pregunta es por eso que usted necesita para editarlo.

Y si todavía creo que se ha eliminado accedently, usted tiene que cavar más por qué sucedió.

BR,
Kapil +
-----------

I know lil spanish :).No points for this please.
I am in this small bowl, I wane see the real world......