[2736] in linux-scsi channel archive
Re: Hacked
daemon@ATHENA.MIT.EDU (Andy Poling)
Mon Nov 3 01:44:20 1997
Date: Mon, 3 Nov 1997 01:42:01 -0500 (EST)
From: Andy Poling <andy@globalauctions.com>
To: torch@cybat.sequel.net
cc: linux-scsi@vger.rutgers.edu
In-Reply-To: <Pine.BSI.3.91.971103135555.1242A-100000@bc.cybat.sequel.net>
On Mon, 3 Nov 1997 torch@cybat.sequel.net wrote:
> I just need to break into the system and I can change or update
> all my configuration again.. But how can I get through using my boot/root
> disk?
Oh - sorry... I assumed you were already past that point, and it was a more
general question.
The following is from memory (forgotten root passwd - similar problem) so it
may not work literally, but it should give you some idea how to go about
it...
Once the system is booted from the floppies, log in as "root". Don't run
"setup" like it says to!
Make a directory upon which to mount your root partition (like /root) and
then mount it there.
Now comes the gruesome part. You don't have any groovy editors or tools,
and you cannot run them off of your root partition because you also don't
have any shared libraries... so you can't easily edit the incorrect root
password out of the passwd file.
How I would do it (this is tremendously simplified):
1) cp /root/etc/passwd /root/etc/passwd.bak (or cp /root/etc/shadow instead
if you have shadow passwords)
2) cp /etc/passwd /root/etc/passwd (this assumes the passwd file on the
floppy/ramdisk root is sufficient - I _think_ it is)
3) umount /root
4) remove the floppy or floppies and ctrl-alt-del to reboot
5) boot single user. When LILO comes up, add the "single" parameter to boot
the kernel into single-user mode. This keeps networking from starting so
they naughty person cannot get in to cuase further trouble. Unplugging the
network cable is also a good idea...
6) cp /etc/passwd.bak /etc/passwd (or /etc/shadow if appropriate)
7) assign root a new passwd - one of _your_ choosing this time. :-)
8) while you're in single-user mode, do whatever you feel appropriate to
determine what else the cracker (they were a cracker - not a hacker) may
have done.
9) ctrl-alt-del to reboot into multi-user mode. Plug back in the network
cable if you unplugged it above.
Good luck! I've been there (cracked system) before. It's a royal PITA...
-Andy
Global Auctions
http://www.globalauctions.com
