0 Funny friends you have!:) If you cannot install debian from scratch in the specific box[es] in short time as Ahsan Alii suggested , i would suggest you make a fresh installation of the operating system to another box and take the md5 checksums of some critical binaries like /bin/* /sbin/* etc (md5sum /bin/* /sbin/* /usr/local/sbin/* etc etc >new)and then compare them with the checksums of the 'copromised' box.Its generally a good idea to take checksums from almost everything when you do a fresh install so you can have a better view/clue afterwards. > Hello Anindya, > > The only surefire way of recovering from this is to rebuild the > machines from scratch. He could have installed several backdoors into > the system and no matter how many you find (if any) there will almost > certainly be more. > > In fact, replacing netstat, ps etc with modified binaries which are > standard with "root-kits" he pretty much guarantees that you will not > even be able to see the process(es) that he installed that listen on > some other port for incoming connections. > > So... if I were in your place, I would most certainly rebuild from > scratch. > > And oh... use a LILO password. > > All you need to add are two lines: > > password=<password> > restricted > > to the LILO global config section in /etc/lilo.conf. The restricted > keyword will allow normal boot but will prompt you for the password > specified if you attempt to pass lilo any parameters at bootup. > > Be sure to run lilo after making changes to /etc/lilo.conf, also since > the password is in clear text, make sure lilo.conf is not readable by > anyone except root. > > chmod 600 /etc/lilo.conf > > Regards, > > Ahsan Ali > > On Thu, 1 Jul 2004 10:34:25 +0530, Anindya Mozumdar <anindya@xxxxxxxxx> > wrote: >> >> Hi, >> The following problem may be trivial to some of you, however my >> knowledge of linux is limited, and I dont understand how can it be >> done. >> In our institute, we use Debian Linux, and the boot loader is lilo. >> For those machines where the lilo password is not set, ANY ONE can >> get a root shell by simply interrupting the boot process and typing >> linux init=/bin/sh in the boot prompt. >> One of my friends obtained a root shell in this manner, and has >> either made some changes, or set up some program, by which he can >> become root any time, without acutally knowing the root password, >> which is known only to our system administrator. What may be the >> possible things he has done to setup his program, and how can it be >> reversed ? >> Thanks in advance. >> Anindya Mozumdar. >> - >> : send the line "unsubscribe linux-admin" >> in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> > - > : send the line "unsubscribe linux-admin" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- Alexander Economou GNET NOC - : send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
