Hello Anindya, The only surefire way of recovering from this is to rebuild the machines from scratch. He could have installed several backdoors into the system and no matter how many you find (if any) there will almost certainly be more. In fact, replacing netstat, ps etc with modified binaries which are standard with "root-kits" he pretty much guarantees that you will not even be able to see the process(es) that he installed that listen on some other port for incoming connections. So... if I were in your place, I would most certainly rebuild from scratch. And oh... use a LILO password. All you need to add are two lines: password=<password> restricted to the LILO global config section in /etc/lilo.conf. The restricted keyword will allow normal boot but will prompt you for the password specified if you attempt to pass lilo any parameters at bootup. Be sure to run lilo after making changes to /etc/lilo.conf, also since the password is in clear text, make sure lilo.conf is not readable by anyone except root. chmod 600 /etc/lilo.conf Regards, Ahsan Ali On Thu, 1 Jul 2004 10:34:25 +0530, Anindya Mozumdar <anindya@xxxxxxxxx> wrote: > > Hi, > The following problem may be trivial to some of you, however my > knowledge of linux is limited, and I dont understand how can it be > done. > In our institute, we use Debian Linux, and the boot loader is lilo. > For those machines where the lilo password is not set, ANY ONE can > get a root shell by simply interrupting the boot process and typing > linux init=/bin/sh in the boot prompt. > One of my friends obtained a root shell in this manner, and has > either made some changes, or set up some program, by which he can > become root any time, without acutally knowing the root password, > which is known only to our system administrator. What may be the > possible things he has done to setup his program, and how can it be > reversed ? > Thanks in advance. > Anindya Mozumdar. > - > : send the line "unsubscribe linux-admin" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > - : send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
