Hi Guys,
I had one of my Redhat linux 6.2 box which was configured with live ip address. For experimental purpose, we did disable all services like ftp/telnet/finger etc with host.allow and host.deny allowing only one machine from our internal network to access this using ssh. The only service which was enabled was http on the external interface.There is no other services like ftp/lpd/nfs/ running on it. All the users/groups like games/shutdown/operator etc have been deleted. We have changed the permission using chattr for inet/ init conf files too.
The box did NOT run any firewall etc. The next day what we found was, it would NOT allow us to login at all. At the login prompt , when one tried to login as any user or even "su" it would just jump back to login prompt. We rebooted the machine with single user mode and found that no passwd /shadow files were tampered with.
Could i get some hint as to which are the likely files which i could look into which could cause this problem. This would help us further in the penetration test which we are conducting.
Thanks and Regards
Jaishankar
Hi,
The box did NOT run any firewall etc. The next day what we found was, it would NOT allow us to login at all. At the login prompt , when one tried to login as any user or even "su" it would just jump back to login prompt. We rebooted the machine with single user mode and found that no passwd /shadow files were tampered with.
[snip] Are you being prompted for the password?? Anyways, you'll have to do a 'rescue' here to log in. Do that using your distro cd or a boot floppy if you have one.
Once you've logged in, check if you have a file called '/etc/nologin'. If it exists delete it...that doesn't allow logins if it exists.
If it doesn't, check your 'syslog' to see about the failed login attempts. Maybe you get something there. ciao abhijeet
On 19 Jul 2002, Jaishankar Krishnan Iyer wrote:
The box did NOT run any firewall etc. The next day what we found was, it would NOT allow us to login at all. At the login prompt , when one tried to login as any user or even "su" it would just jump back to login prompt.
did you try to login as su or as root?
Could i get some hint as to which are the likely files which i could look into which could cause this problem. This would help us further in the penetration test which we are conducting.
have a look at your pam.d/* files. also, by removing some groups, you may have disabled logins. You'll have to experiment to find out.
Hey i think your init process is getting respawned ,, hmm well the reason may be your /etc/passwd file might have got corrupted. U can go in Single user mode and copy /etc/passwd.Old to /etc/passwd and then i think it should allow u to login. Let me know if this worked. Tapesh .......................................ENJOY LINUX.................. Philip S Tellis wrote:On 19 Jul 2002, Jaishankar Krishnan Iyer wrote:
The box did NOT run any firewall etc. The next day what we found was, it would NOT allow us to login at all. At the login prompt , when one tried to login as any user or even "su" it would just jump back to login prompt.
did you try to login as su or as root?
Could i get some hint as to which are the likely files which i could look into which could cause this problem. This would help us further in the penetration test which we are conducting.
have a look at your pam.d/* files. also, by removing some groups, you may have disabled logins. You'll have to experiment to find out.
-
abhijeet -
Jaishankar Krishnan Iyer -
Philip S Tellis -
Tapeshwar Nath