l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
September 2: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2002 Mar 16 14:17

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] What happens internally to Linux when it is in password limbo?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] What happens internally to Linux when it is in password limbo?



I'd say your in big trouble... and the password is the 
least of your troubles.

Your top output shows only 3% idle but 0 for user and 
system... your missing 97% of your cpu utilization. I've 
not experienced it, but they say that when a box is 
hacked with a root kit they can replace some of your 
binaries to hide thier activities. Specifically I've 
seen 'ps' and 'top' listed as those replaced. 

Theoretically, somebody can log in, replace top with a 
program that will show everything but their application, 
then wipe out the entries in the logs that show when 
they logged in (including any give aways 
in /var/log/messages which is the default syslog for RH 
6.1).

I'd say pull the network cable and don't plug it back in 
untill the system has been rebuilt. I'd grab my most 
important config files (probably sendmail.cf since this 
seems to be your e-mail server) and then comb through 
them very carefully before using again.

Also, RH 6.1 is a very old distro with many problems. 
I'd suggest at least moving up to RH 7.1 if you wanted 
to stay with RH, but for pure server builds I've 
switched to debian.

But no matter what you do, please pull the plug soon. No 
telling what that box is being used for without your 
knowledge. And I'd bet good money that it's being used 
for something that you don't know about.

"Of course that's just my opinion, I could be wrong"

-Doug
>     The sendmail on a 200MHz recently slowed to a crawl on a Red Hat 6.1
> system.  Authorization took up to 3 minutes on machines running Outlook
> Express.  The day after I changed the root password from an easily guessable
> password, the machine had all the speed you could hope for.  But since I
> have not yet restarted any of the services or rebooted, the old password
> still works even though through linuxconf the password has been changed.
> Does this make any sense to anyone?  There is nothing too suspicious in the
> access logs, mainly just some failed anonymous FTP access.  Running top used
> to show less than 1k of memory free and around 56 processes sleeping, 1
> running.  This is what it shows now:
> 
>  10:57am  up 4 days,  2:34,  1 user,  load average: 0.00, 0.00, 0.00
> 57 processes: 56 sleeping, 1 running, 0 zombie, 0 stopped
> CPU states:  0.0% user,  0.0% system,  0.0% nice,  3.0% idle
> Mem:   63124K av,  57252K used,   5872K free,  35124K shrd,  18276K buff
> Swap: 157208K av,      0K used, 157208K free                 22416K cached
> 
>   PID USER     PRI  NI  SIZE  RSS SHARE STAT  LIB %CPU %MEM   TIME COMMAND
> 10697 dpwebste  18   0  1020 1020   816 R       0  4.7  1.6   0:00 top
>     1 root       0   0   460  460   388 S       0  0.0  0.7   0:03 init
>     2 root       0   0     0    0     0 SW      0  0.0  0.0   0:00 kflushd
>     3 root       0   0     0    0     0 SW      0  0.0  0.0   0:00 kupdate
>     4 root       0   0     0    0     0 SW      0  0.0  0.0   0:00 kpiod
>     5 root       0   0     0    0     0 SW      0  0.0  0.0   0:00 kswapd
>     6 root     -20 -20     0    0     0 SW<     0  0.0  0.0   0:00
> mdrecoveryd
>    99 root       0   0    44   44    20 S       0  0.0  0.0   0:00 mingetty
>   358 bin        0   0   476  476   388 S       0  0.0  0.7   0:00 portmap
>   374 root       0   0   464  464   396 S       0  0.0  0.7   0:00 apmd
>   427 root       0   0   528  528   428 S       0  0.0  0.8   0:03 syslogd
>   438 root       0   0   752  752   388 S       0  0.0  1.1   0:00 klogd
>   454 daemon     0   0   484  484   404 S       0  0.0  0.7   0:00 atd
>   470 root       0   0   600  600   504 S       0  0.0  0.9   0:00 crond
>   490 root       0   0   484  484   408 S       0  0.0  0.7   0:00 inetd
>   506 root       0   0   488  488   408 S       0  0.0  0.7   0:00 lpd
> 
>     I would be curious to hear from anyone with theories, or if you could
> recommend a book that goes into great depth into the innerworkings of Linux
> I would appreciate it.
> 
> Danny
> 
> _______________________________________________
> vox mailing list
> vox@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox
_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.