*BSD News Article 95522


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!uunet!in2.uu.net!204.73.178.32!chippy.visi.com!news-out.visi.com!cam-news-hub1.bbnplanet.com!news.bbnplanet.com!news.mathworks.com!news1.best.com!nntp1.ba.best.com!not-for-mail
From: dhawk@best.com (David Hawkins)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: PANIC! FreeBSD box still hosed
Date: 16 May 1997 07:59:40 -0700
Organization: Decline to State
Lines: 46
Message-ID: <5lhsos$3ba$1@shell3.ba.best.com>
References: <Pine.LNX.3.95.970515184110.29195A-100000@cirrus.axxis.com>
NNTP-Posting-Host: shell3.ba.best.com
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:41048

In article <Pine.LNX.3.95.970515184110.29195A-100000@cirrus.axxis.com>,
Q. Wade Billings <blitz@axxis.com> wrote:

>I have posted a message to this newsgroup concerning a rebel FreeBSD box
>that refuses all attempts to log into it. I have checked the password
>file, and it is working as my dialup customers can still authenticate
>through RADIUS, but I can not login. This would not be such a problem, but
>I need to get on the machine to do work on it.

What's the exact error message you get?
[Lots of details would help: version of freebsd, how many users, etc.]
Are you trying to login as root? It may be that your console is set
to 'secure' and won't take root passwords across the network. If you
are at the console then that's not the problem, of course.

If you are at the console then you can boot to single user
(contrl-alt-del) and -s (I think). In single user mode you type
passwd
and change the password. Hmm, you might want to make copies of
the /etc directory first in case the problem is a crack.
    tar cf /root/etc.tar /etc

One possible problem if you can't login as root at the console is that
your root password includes the # character, which is backspace at
the console on some unix systems.

Once you get the problem fixed (hopefully some of the above helped)
create an account for yourself and use sudo to grant yourself root
access. Make sure your password and the root password are hard to
guess.

It may be that your system has been cracked and the root password
changed. Once you get into the system check for root logins and
'su' usage, as in    last -20 root
At that point you'd need to make sure that other root accounts (user:
0) accounts haven't been created. Remove the 'toor' account if it's
not being used.
If you have automated backups then you might be able to find what's
been changed once you get into the system. Restore a backup from
before your problems and compare the files that have changed.

later, david
--
David Hawkins    dhawk@best.com       http://www.river.org/~dhawk
There seems no plan because it's all plan. There seems no center
because it's all center. -- C. S. Lewis