Hello LUG,
I am running RH7.1 on i686. The computer boots properly but when I type any user name the login interface seems to hang up and never asks for the password. When I telnet from another computer I see:
Red Hat Linux release 7.1 (Seawolf) Kernel 2.4.7.10 on an i686
and the login prompt never appears.
pl help me out.
kamal matta
Hi,
Can u just boot your PC in single user mode and check out the logs ,,, what exactly the error is ..
at the lilo prompt type 'linux 1' to go intosingle user mode.. this will not ask for login and directly give you shell. then visit the logs and find out what the error is ......
BTW is this your standard RH7.1 that is loaded , or made some changes.......
Do write back.. --Tapesh
--- Kamal Matta kamal@matlani.com wrote:
Hello LUG,
I am running RH7.1 on i686. The computer boots properly but when I type any user name the login interface seems to hang up and never asks for the password. When I telnet from another computer I see:
Red Hat Linux release 7.1 (Seawolf) Kernel 2.4.7.10 on an i686
and the login prompt never appears.
pl help me out.
kamal matta
===== ********************************************* It doesn't make a difference what temperature a room is, it's always room temperature.
--Steven Wright *********************************************
__________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
ya, i am able to do linux single but since my m/cs syslog is not working since few days can't check the logs. its the standard RH7.1. no changes done. can u tell me what is things which is responsible for giving login prompts ? since i am unable to login can't check any thing. km
----- Original Message ----- From: "Tapeshwar Nath" gtapeshwar@yahoo.com To: linuxers@mm.ilug-bom.org.in Sent: Thursday, March 06, 2003 9:43 AM Subject: Re: [ILUG-BOM] Login Problem Please help
- LUG meet - 4:00 pm 9th March, 2003 @ Ruparel College, Matunga (W). *
Hi,
Can u just boot your PC in single user mode and check out the logs ,,, what exactly the error is ..
at the lilo prompt type 'linux 1' to go intosingle user mode.. this will not ask for login and directly give you shell. then visit the logs and find out what the error is ......
BTW is this your standard RH7.1 that is loaded , or made some changes.......
Do write back.. --Tapesh
--- Kamal Matta kamal@matlani.com wrote:
Hello LUG,
I am running RH7.1 on i686. The computer boots properly but when I type any user name the login interface seems to hang up and never asks for the password. When I telnet from another computer I see:
Red Hat Linux release 7.1 (Seawolf) Kernel 2.4.7.10 on an i686
and the login prompt never appears.
pl help me out.
kamal matta
=====
It doesn't make a difference what temperature a room is, it's always room temperature.
--Steven Wright
Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
-- _______________________________________________
Hi,
It seems like your machine has been hacked ... and has been played around with. Can u check what glibc version you are using. and whether it has been changed..., whether your mingetty has been tampered with...Also check where your /bin/sh points to...
There are also standard softwares that come thru which you can check your system integrity. Try google search...
You can do all this in single user mode. except google search... :d
do write back what happened...
--Tapesh
--- postmaster postmaster@matlani.com wrote:
ya, i am able to do linux single but since my m/cs syslog is not working since few days can't check the logs. its the standard RH7.1. no changes done. can u tell me what is things which is responsible for giving login prompts ? since i am unable to login can't check any thing. km
----- Original Message ----- From: "Tapeshwar Nath" gtapeshwar@yahoo.com To: linuxers@mm.ilug-bom.org.in Sent: Thursday, March 06, 2003 9:43 AM Subject: Re: [ILUG-BOM] Login Problem Please help
- LUG meet - 4:00 pm 9th March, 2003 @ Ruparel
College, Matunga (W). *
Hi,
Can u just boot your PC in single user mode and
check
out the logs ,,, what exactly the error is ..
at the lilo prompt type 'linux 1' to go intosingle user mode.. this will not ask for login and
directly
give you shell. then visit the logs and find out what the error is ......
BTW is this your standard RH7.1 that is loaded ,
or
made some changes.......
Do write back.. --Tapesh
===== ********************************************* It doesn't make a difference what temperature a room is, it's always room temperature.
--Steven Wright *********************************************
__________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
thanks mr nath, but how come this would have been done ? if seems i don't have a choice but to reinstall and resetup. is it possible to reinstall the damaged area as reinstlling and resetup will be big problem for me. i am using this server for NAT/RAS/DNS/DHCP/PROXY/WEB services. i am using ipchains and setted masq on ppp and eth1 ports to allow to use this box as gateway to some users as rest use proxy settings.
only recently we have started using cable internet and got one ip. could this has helped the hackers ? earlier we were using diapup connectivity. if possible please help me and tell as what precautions should i take to keep away the hackers.
i will let u know what u have asked as right now my system is in use by users as rest everything is working except login. and see all details i have to boot it to linux single.
thanks km
----- Original Message ----- From: "Tapeshwar Nath" gtapeshwar@yahoo.com To: linuxers@mm.ilug-bom.org.in Sent: Thursday, March 06, 2003 4:27 PM Subject: Re: [ILUG-BOM] Login Problem Please help
- LUG meet - 4:00 pm 9th March, 2003 @ Ruparel College, Matunga (W). *
Hi,
It seems like your machine has been hacked ... and has been played around with. Can u check what glibc version you are using. and whether it has been changed..., whether your mingetty has been tampered with...Also check where your /bin/sh points to...
There are also standard softwares that come thru which you can check your system integrity. Try google search...
You can do all this in single user mode. except google search... :d
do write back what happened...
--Tapesh
--- postmaster postmaster@matlani.com wrote:
ya, i am able to do linux single but since my m/cs syslog is not working since few days can't check the logs. its the standard RH7.1. no changes done. can u tell me what is things which is responsible for giving login prompts ? since i am unable to login can't check any thing. km
----- Original Message ----- From: "Tapeshwar Nath" gtapeshwar@yahoo.com To: linuxers@mm.ilug-bom.org.in Sent: Thursday, March 06, 2003 9:43 AM Subject: Re: [ILUG-BOM] Login Problem Please help
- LUG meet - 4:00 pm 9th March, 2003 @ Ruparel
College, Matunga (W). *
Hi,
Can u just boot your PC in single user mode and
check
out the logs ,,, what exactly the error is ..
at the lilo prompt type 'linux 1' to go intosingle user mode.. this will not ask for login and
directly
give you shell. then visit the logs and find out what the error is ......
BTW is this your standard RH7.1 that is loaded ,
or
made some changes.......
Do write back.. --Tapesh
=====
It doesn't make a difference what temperature a room is, it's always room temperature.
--Steven Wright
Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
--
On Thu, 6 Mar 2003, Kamal Matta wrote:
thanks mr nath, but how come this would have been done ? if seems i don't have a choice but to reinstall and resetup.
Yes, _if_ you system has really been cracked, it is advised to install the system from scratch again. So first figure that out, from you description of the problem, if syslog is not working, as it should, you may have a real problem at hand. So check first why it is not working. If you determined that your system has really been cracked, them everything below applies. ;)
is it possible to reinstall the damaged area as reinstlling and resetup will be big problem for me.
Pain it will be, but to your advantage only. Many crackers will employ different tricks to re-establish control of a cracked system, which includes putting all sorts of trojan software on the system. Searching each one requires enough knowledge of the system and even then you can not completely guarantee that all security holes have been plugged on your system. So install from scratch and *** apply all the security updates released by RedHat ***. For this go to http://www.redhat.com/errata.
i am using this server for NAT/RAS/DNS/DHCP/PROXY/WEB services. i am using ipchains and setted masq on ppp and eth1 ports to allow to use this box as gateway to some users as rest use proxy settings.
You might want to boot in single user mode and note down all the configuration changes for your servers. The same can then be applied to the new and patched installation. See the security FAQs / HOWTOs for each of the servers you use, and check if your setting are opening any obvious security holes.
For a good introduction to configuring security under Linux see this HOWTO, http://www.tldp.org/HOWTO/Security-HOWTO/index.html
only recently we have started using cable internet and got one ip. could this has helped the hackers ? earlier we were using diapup connectivity. if possible please help me and tell as what precautions should i take to keep away the hackers.
A static IP only means that the intruder has more time to play around with a cracked machine, it is not that you will be safe on a dialup line, only that the chances of successful compromise are slightly less. Hence least you can do is to keep you system updated with security patches.
i will let u know what u have asked as right now my system is in use by users as rest everything is working except login. and see all details i have to boot it to linux single.
The sooner the better, you don't want intruders running inside your lan systems do you?
----- Original Message ----- From: "Tapeshwar Nath" gtapeshwar@yahoo.com To: linuxers@mm.ilug-bom.org.in Sent: Thursday, March 06, 2003 4:27 PM Subject: Re: [ILUG-BOM] Login Problem Please help
[snip]
It seems like your machine has been hacked ... and has been played around with. Can u check what glibc version you are using. and whether it has been changed..., whether your mingetty has been tampered with...Also check where your /bin/sh points to...
There are also standard softwares that come thru which you can check your system integrity. Try google search...
Here is good one to find trojons and rootkits, http://www.chkrootkit.org/
[snip]
HTH, Rajesh
Thanks for the realistic advice.
i will definately go thru the links u have given but if possible can u tell me what basic securities i should apply to my system before going online as reading the articles and then implementing would be a bit lenghty job.
any way thanks all for helping.
km
----- Original Message ----- From: "Rajesh Deo" rajeshdeo@earthlink.net To: linuxers@mm.ilug-bom.org.in Sent: Thursday, March 06, 2003 9:24 PM Subject: Re: [ILUG-BOM] Login Problem Please help
- LUG meet - 4:00 pm 9th March, 2003 @ Ruparel College, Matunga (W). *
On Thu, 6 Mar 2003, Kamal Matta wrote:
thanks mr nath, but how come this would have been done ? if seems i don't have a choice
but
to reinstall and resetup.
Yes, _if_ you system has really been cracked, it is advised to install the system from scratch again. So first figure that out, from you description of the problem, if syslog is not working, as it should, you may have a real problem at hand. So check first why it is not working. If you determined that your system has really been cracked, them everything below applies. ;)
is it possible to reinstall the damaged area as reinstlling and resetup will be big problem for me.
Pain it will be, but to your advantage only. Many crackers will employ different tricks to re-establish control of a cracked system, which includes putting all sorts of trojan software on the system. Searching each one requires enough knowledge of the system and even then you can not completely guarantee that all security holes have been plugged on your system. So install from scratch and *** apply all the security updates released by RedHat ***. For this go to http://www.redhat.com/errata.
i am using this server for NAT/RAS/DNS/DHCP/PROXY/WEB services. i am
using
ipchains and setted masq on ppp and eth1 ports to allow to use this box
as
gateway to some users as rest use proxy settings.
You might want to boot in single user mode and note down all the configuration changes for your servers. The same can then be applied to the new and patched installation. See the security FAQs / HOWTOs for each of the servers you use, and check if your setting are opening any obvious security holes.
For a good introduction to configuring security under Linux see this HOWTO, http://www.tldp.org/HOWTO/Security-HOWTO/index.html
only recently we have started using cable internet and got one ip. could this has helped the hackers ? earlier we were using diapup connectivity.
if
possible please help me and tell as what precautions should i take to
keep
away the hackers.
A static IP only means that the intruder has more time to play around with a cracked machine, it is not that you will be safe on a dialup line, only that the chances of successful compromise are slightly less. Hence least you can do is to keep you system updated with security patches.
i will let u know what u have asked as right now my system is in use by users as rest everything is working except login. and see all details i
have
to boot it to linux single.
The sooner the better, you don't want intruders running inside your lan systems do you?
----- Original Message ----- From: "Tapeshwar Nath" gtapeshwar@yahoo.com To: linuxers@mm.ilug-bom.org.in Sent: Thursday, March 06, 2003 4:27 PM Subject: Re: [ILUG-BOM] Login Problem Please help
[snip]
It seems like your machine has been hacked ... and has been played around with. Can u check what glibc version you are using. and whether it has been changed..., whether your mingetty has been tampered with...Also check where your /bin/sh points to...
There are also standard softwares that come thru which you can check your system integrity. Try google search...
Here is good one to find trojons and rootkits, http://www.chkrootkit.org/
[snip]
HTH, Rajesh
-- You can't cheat the phone company.
--
On Fri, 7 Mar 2003, postmaster wrote:
i will definately go thru the links u have given but if possible can u tell me what basic securities i should apply to my system before going online as reading the articles and then implementing would be a bit lenghty job.
This assumes you have a freshly installed system, 0. /etc/init.d/network stop 1. use chkconfig utility and shut off services you don't use. Example: chkconfig --level 2345 portmap off For more "man chkconfig" Configure services in xinetd/inetd which ever is the one you use. chkconfig can be used to start and switch off xinetd services also. 2. Configure tcp-wrappers man hosts_access 3. Configure your firewall rules. Make sure it is enabled etc. 4. /etc/init.d/ip<chains|tables> start; /etc/init.d/network start; 3. Go to updates.redhat.com/<your-redhat-release>/en/os/i386/ and get *.rpms Do a "rpm -Fvh `cat *.rpm | grep -v ^kernel`" from the directory where you downloaded rpms as root. Else if you have a up2date/RHN service use that. 4. Reboot if required or you choose to update you kernel also.
This is the minimum basic stuff you can do. But since you run a lot of services there will be other things that you must do and for that you must _read_ the links given in previous mail. For a quick hardening of your server you might want to run the famous bastille script, which will take care of most of the above stuff as well as more detailed things, get it here http:www.bastille-linux.org/. But read what bastille tells you as it hardens your machine, that way you can opt out of certain things that will be hinderance to your regular use of the machine as a server. Run bastille after you have done updates and configured the machine for various servers. Finally sit back and *read* that HOWTO, it will be useful.
On 06/03/03 17:29 +0530, Kamal Matta wrote:
thanks mr nath, but how come this would have been done ? if seems i don't have a choice but to reinstall and resetup. is it possible to reinstall the damaged area as reinstlling and resetup will be big problem for me.
It is possible to do this, if you trust a compromised machine. I never do. For all you know, there is a krnel module in there somewhere. As to how, you need to do forensics on that system. That will cost money, and really isn't worth doing unless you have the academic interest or are sending the laywers after that cracker.
i am using this server for NAT/RAS/DNS/DHCP/PROXY/WEB services. i am using ipchains and setted masq on ppp and eth1 ports to allow to use this box as gateway to some users as rest use proxy settings.
Overloaded with services. Have you ever applied any patches to this box?
only recently we have started using cable internet and got one ip. could this has helped the hackers ? earlier we were using diapup connectivity. if possible please help me and tell as what precautions should i take to keep away the hackers.
Patch, patch, patch. Read bugtraq religiously. Plenty of documentation available online too.
i will let u know what u have asked as right now my system is in use by users as rest everything is working except login. and see all details i have to boot it to linux single.
Rebuild, boot into single user mode, patch upto date, limit working services, write firewall script, setup remote logging, bring box online. Stay alert for vulnerability bulletins and updates.
Devdas Bhagat
On Thu, 6 Mar 2003, Tapeshwar Nath wrote:
It seems like your machine has been hacked ... and has
please don't say hacked when what you really mean is cracked. It is really disheartening for hackers around the world.
Philip
check out and compare the contents and size of /etc/pam.d/login, /bin/login and related files with files in some other installation.
Anil
Quoting postmaster postmaster@matlani.com:
- LUG meet - 4:00 pm 9th March, 2003 @ Ruparel College, Matunga (W). *
ya, i am able to do linux single but since my m/cs syslog is not working since few days can't check the logs. its the standard RH7.1. no changes done. can u tell me what is things which is responsible for giving login prompts ? since i am unable to login can't check any thing. km
----- Original Message ----- From: "Tapeshwar Nath" gtapeshwar@yahoo.com To: linuxers@mm.ilug-bom.org.in Sent: Thursday, March 06, 2003 9:43 AM Subject: Re: [ILUG-BOM] Login Problem Please help
- LUG meet - 4:00 pm 9th March, 2003 @ Ruparel College, Matunga (W). *
Hi,
Can u just boot your PC in single user mode and check out the logs ,,, what exactly the error is ..
at the lilo prompt type 'linux 1' to go intosingle user mode.. this will not ask for login and directly give you shell. then visit the logs and find out what the error is ......
BTW is this your standard RH7.1 that is loaded , or made some changes.......
Do write back.. --Tapesh
--- Kamal Matta kamal@matlani.com wrote:
Hello LUG,
I am running RH7.1 on i686. The computer boots properly but when I type any user name the login interface seems to hang up and never asks for the password. When I telnet from another computer I see:
Red Hat Linux release 7.1 (Seawolf) Kernel 2.4.7.10 on an i686
and the login prompt never appears.
pl help me out.
kamal matta
=====
It doesn't make a difference what temperature a room is, it's always room temperature.
--Steven Wright
Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
-- _______________________________________________
--
-
anil@lcgindia.com -
Devdas Bhagat -
Kamal Matta -
Philip S Tellis -
postmaster -
Rajesh Deo -
Tapeshwar Nath