- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Server compromised
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2005 03:26 AM
03-14-2005 03:26 AM
Server compromised
logged in as root and received intruder alert at the prompt and root seems to have lost a lot of its permissions.
Whoami for any user bring up this intruder alert userid.
the userid isnt in the passwd file and root's .profile has not been changed.
I've took the server off the lan and checked the yslog and sulog but nothing of any use in there (this is an untrusted v11 system)
Any ideas on where i start on this.
Cheers
George
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2005 03:33 AM
03-14-2005 03:33 AM
Re: Server compromised
/etc/passwd permissions should be 444 (-r--r--r--) and if it is not you can see error messages similar to what you are seeing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2005 03:34 AM
03-14-2005 03:34 AM
Re: Server compromised
Check permissions of /etc and /etc/password and overall password file (i.e. copy it onto system from a backup).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2005 03:35 AM
03-14-2005 03:35 AM
Re: Server compromised
Have a GOOD look at your /etc/passwd file
From the symptoms, it sounds like it's either been deleted or nullified. At the very least, some users (including root) have been removed from it.
I assume you must have an old root session logged on since before this happened. Don't log off until you have recovered the passwd file.
Obviously, also check what other files may be missing/compromised.
Good luck
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2005 03:52 AM
03-14-2005 03:52 AM
Re: Server compromised
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2005 03:59 AM
03-14-2005 03:59 AM
Re: Server compromised
That can compress /etc/group or /etc/passwd to zero bytes.
Its also possible someone has been playing.
I'd recommend a thorough check of the system, including a scan for back doors.
A back door can be a copy of the shell with suid set on it. Consultants and miscreants commonly set such trapdoors so they can get in again in the future.
I'd also recommend a commerical program called tripwire.
It monitors binaries and configuration and can alert you of unauthorized changes. Hackers will often substitute their own programs for normal commands. Their programs will install back doors and do all kinds of bad things.
Finally, I'd get Bastille onto this system and harden it.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2005 04:07 AM
03-14-2005 04:07 AM
Re: Server compromised
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2005 05:24 AM
03-14-2005 05:24 AM
Re: Server compromised
Yeah, Yeah, I know he should have used "vipw" but sometimes it's hard to protect against managers that insist on showing off their "vo skills". 8-)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2005 07:22 PM
03-14-2005 07:22 PM
Re: Server compromised
But i cant explain the root prompt change and the response from whoami for all users.
The exact prompt is
Intruder Alert.@servername
There is an old version of tripwire on this server but i havent read anything that says it would throw up an alert in this way.
With a bit of luck it may just be down to a duff script but i'm using it as an excuse to moved to a more secure setup.
Any ideas on the prompt issue?
Ta
George
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2005 07:47 PM
03-14-2005 07:47 PM
Re: Server compromised
Document id: BH9104032020
http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000007949869
(ancient document, I know)
but it states that a system under certain circumstances of changed file permissions may display "Intruder alert" instead of the user's name. Perhaps the .profile could be responsible for the rest of the prompt.
regards,
John K.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2005 10:07 PM
03-14-2005 10:07 PM
Re: Server compromised
As soon as this is done the kernel must spit out the intruder alert warning at the prompt.
I deleted the blank line and all is back to normal.
At least i learnt something new today :)