[2738] in linux-scsi channel archive
Re: Hacked
daemon@ATHENA.MIT.EDU (torch@cybat.sequel.net)
Mon Nov 3 02:15:26 1997
Date: Mon, 3 Nov 1997 14:48:50 +0800 (PST)
From: torch@cybat.sequel.net
To: Andy Poling <andy@globalauctions.com>
cc: linux-scsi@vger.rutgers.edu
In-Reply-To: <Pine.LNX.3.96.971103012339.11348C-100000@roadrunner.realbig.com>
Andy,
After the command mkdir root..how can i mount ???
TBONES
On Mon, 3 Nov 1997, Andy Poling wrote:
> On Mon, 3 Nov 1997 torch@cybat.sequel.net wrote:
> > I just need to break into the system and I can change or update
> > all my configuration again.. But how can I get through using my boot/root
> > disk?
>
> Oh - sorry... I assumed you were already past that point, and it was a more
> general question.
>
> The following is from memory (forgotten root passwd - similar problem) so it
> may not work literally, but it should give you some idea how to go about
> it...
>
> Once the system is booted from the floppies, log in as "root". Don't run
> "setup" like it says to!
>
> Make a directory upon which to mount your root partition (like /root) and
> then mount it there.
>
> Now comes the gruesome part. You don't have any groovy editors or tools,
> and you cannot run them off of your root partition because you also don't
> have any shared libraries... so you can't easily edit the incorrect root
> password out of the passwd file.
>
> How I would do it (this is tremendously simplified):
>
> 1) cp /root/etc/passwd /root/etc/passwd.bak (or cp /root/etc/shadow instead
> if you have shadow passwords)
>
> 2) cp /etc/passwd /root/etc/passwd (this assumes the passwd file on the
> floppy/ramdisk root is sufficient - I _think_ it is)
>
> 3) umount /root
>
> 4) remove the floppy or floppies and ctrl-alt-del to reboot
>
> 5) boot single user. When LILO comes up, add the "single" parameter to boot
> the kernel into single-user mode. This keeps networking from starting so
> they naughty person cannot get in to cuase further trouble. Unplugging the
> network cable is also a good idea...
>
> 6) cp /etc/passwd.bak /etc/passwd (or /etc/shadow if appropriate)
>
> 7) assign root a new passwd - one of _your_ choosing this time. :-)
>
> 8) while you're in single-user mode, do whatever you feel appropriate to
> determine what else the cracker (they were a cracker - not a hacker) may
> have done.
>
> 9) ctrl-alt-del to reboot into multi-user mode. Plug back in the network
> cable if you unplugged it above.
>
> Good luck! I've been there (cracked system) before. It's a royal PITA...
>
> -Andy
>
> Global Auctions
> http://www.globalauctions.com
>
>
