Password problem
This is a discussion on Password problem within the Slackware Linux Support forums, part of the Unix Operating Systems category; --> Stock Slackware 10.2 install. Up about six weeks with rudimentary password and login as root. This morning's session went ...
| |||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-20-2008, 06:24 PM
| ||||
| ||||
 Password problem Stock Slackware 10.2 install. Up about six weeks with rudimentary password and login as root. This morning's session went fine, but I must have picked up a bug or virus because I cannot log in again this afternoon. Any ideas on how go get into the system? Rebooting with the install disk and using "passwd" does not work. I really would not like to rebuild this disk, but if I have to - I have to. Any ideas gratefully accepted. Marv      |
|
02-20-2008, 06:24 PM
| |||
| |||
| Re: Password problem On 2006-07-19, Marv Soloff <msoloff@worldnet.att.net> wrote: > Stock Slackware 10.2 install. Up about six weeks with rudimentary > password and login as root. This morning's session went fine, but I > must have picked up a bug or virus because I cannot log in again this > afternoon. "A bug or virus"? If it was an easily crackable root password, and your box was on the public internet, then you've probably been cracked. If that's the case, it's really safest to erase and reinstall. (Note, not just reinstall, but erase!) To verify that, boot off of known-good media and run something like chkrootkit. To prevent potential future cracks, disallow ssh in as root, and pick a strong password for root and any users you have. > Any ideas on how go get into the system? Rebooting with the > install disk and using "passwd" does not work. Rebooting with the install disk and using passwd sets the password for the ramdisk loaded into memory, not the password on your hard disk. To change the password on disk, mount your partitions (say under /mnt), run chroot /mnt, then try to run passwd (this procedure untested). > I really would not like > to rebuild this disk, but if I have to - I have to. If you can find convincing evidence that you've been cracked, then you have to. But don't overreact too much yet; it's possible that you just b0rked something along the line. IIRC the new FAQ has some helpful information to tell if you've been cracked; try http://www.therockgarden.ca/aolsfaq.txt and look for the entry "Help! I think I've been hacked!!!" --keith -- kkeller-usenet@wombat.san-francisco.ca.us (try just my userid to email me) AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom see X- headers for PGP signature information |
|
02-20-2008, 06:24 PM
| |||
| |||
| Re: Password problem Great Thanks! Will try these suggestions. Marv Keith Keller wrote: > On 2006-07-19, Marv Soloff <msoloff@worldnet.att.net> wrote: > >>Stock Slackware 10.2 install. Up about six weeks with rudimentary >>password and login as root. This morning's session went fine, but I >>must have picked up a bug or virus because I cannot log in again this >>afternoon. > > > "A bug or virus"? If it was an easily crackable root password, and your > box was on the public internet, then you've probably been cracked. If > that's the case, it's really safest to erase and reinstall. (Note, not > just reinstall, but erase!) > > To verify that, boot off of known-good media and run something like > chkrootkit. > > To prevent potential future cracks, disallow ssh in as root, and pick a > strong password for root and any users you have. > > >>Any ideas on how go get into the system? Rebooting with the >>install disk and using "passwd" does not work. > > > Rebooting with the install disk and using passwd sets the password for > the ramdisk loaded into memory, not the password on your hard disk. To > change the password on disk, mount your partitions (say under /mnt), run > chroot /mnt, then try to run passwd (this procedure untested). > > >>I really would not like >>to rebuild this disk, but if I have to - I have to. > > > If you can find convincing evidence that you've been cracked, then you > have to. But don't overreact too much yet; it's possible that you just > b0rked something along the line. IIRC the new FAQ has some helpful > information to tell if you've been cracked; try > http://www.therockgarden.ca/aolsfaq.txt and look for the entry "Help! I > think I've been hacked!!!" > > --keith > |
|
02-20-2008, 06:24 PM
| |||
| |||
| Re: Password problem Marv Soloff wrote: > afternoon. Any ideas on how go get into the system? Rebooting with the > install disk and using "passwd" does not work. Boot from an install cdrom,( or any linux bootable cd) mount the partition that has /etc/shadow. Delete the hashed password entry for root. (Not the whole line, just the part thats represents the password.) Now when you reboot, root has a blank password. note: You should really only do that if you just forgot your password, not if you got cracked. -- paul w. |
|
02-20-2008, 06:24 PM
| |||
| |||
| Re: Password problem Marv Soloff <msoloff@worldnet.att.net> wrote: > Stock Slackware 10.2 install. Up about six weeks with rudimentary > password and login as root. I hope that you are aware that you should do most of your work as an ordinary user and only su to root when you absolutely have to. > This morning's session went fine, but I must have picked up a bug or > virus because I cannot log in again this afternoon. If you do a mistake or run any kind of trojan as root you can really mess things up. Others have already given pointers on how to reset the root password and to reinstall from scratch if you think you have been hacked. regards Henrik -- The address in the header is only to prevent spam. My real address is: hc8(at)uthyres.com Examples of addresses which go to spammers: root@variousus.net root@localhost |
|
02-20-2008, 06:24 PM
| |||
| |||
| Re: Password problem paul wisehart <pkw@lupulin.net>: > Marv Soloff wrote: > > afternoon. Any ideas on how go get into the system? Rebooting with the > > install disk and using "passwd" does not work. > > Boot from an install cdrom,( or any linux bootable cd) > mount the partition that has /etc/shadow. > Delete the hashed password entry for root. > (Not the whole line, just the part thats represents the password.) > > Now when you reboot, root has a blank password. > > note: You should really only do that if you just forgot > your password, not if you got cracked. And disconnect from the net before you do any of it. No point in fixing it if the cracker's watching you do it (keystroke loggers ...). -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling Linux Counter #80292 - - http://www.faqs.org/rfcs/rfc1855.html Spammers! http://www.spots.ab.ca/~keeling/emails.html |
|
02-20-2008, 06:24 PM
| |||
| |||
| Re: Password problem paul wisehart wrote: > Marv Soloff wrote: > >> afternoon. Any ideas on how go get into the system? Rebooting with >> the install disk and using "passwd" does not work. > > > Boot from an install cdrom,( or any linux bootable cd) > mount the partition that has /etc/shadow. > Delete the hashed password entry for root. > (Not the whole line, just the part thats represents the password.) > > Now when you reboot, root has a blank password. > > note: You should really only do that if you just forgot > your password, not if you got cracked. > > -- > paul w. Does not work - used vi to delete hashes on both etc/passwd and etc/shadow. Thanks anyway. Marv |
|
02-20-2008, 06:24 PM
| |||
| |||
| Re: Password problem On Wed, 19 Jul 2006 12:48:24 -0700 Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote: > On 2006-07-19, Marv Soloff <msoloff@worldnet.att.net> wrote: > > Stock Slackware 10.2 install. Up about six weeks with rudimentary > > password and login as root. This morning's session went fine, but I > > must have picked up a bug or virus because I cannot log in again this > > afternoon. > .... > > If you can find convincing evidence that you've been cracked, then you > have to. But don't overreact too much yet; it's possible that you just > b0rked something along the line. IIRC the new FAQ has some helpful > information to tell if you've been cracked; try > http://www.therockgarden.ca/aolsfaq.txt and look for the entry "Help! I > think I've been hacked!!!" > Perhaps, this writeup can be useful, too: http://www.ducea.com/2006/07/17/how-...-linux-server/ -- Mikhail |
|
02-20-2008, 06:24 PM
| ||||
| ||||
| Re: Password problem paul wisehart wrote: > Marv Soloff wrote: > >> Does not work - used vi to delete hashes on both etc/passwd and >> etc/shadow. Thanks anyway. >> > Yes, it works. You did something wrong. > There's nothing to delete from /etc/passwd. > -- > paul Not to be a wiseass, I mounted the partition (hda1) and went to etc/shadow. The root entry has a 4 digit number and a batch of zeros. Comparing this entry to one of my other 10.2 drives, the #2 drive shows a large entry, hashed, for this root entry. If I edit this entry, I will most likely wind up with no root password. The problem is, what am I mounting when I mount hda1? You may me right, that I am doing something wrong. However, at this point, I don' know what Regards, Marv |
Linear Mode
