On Mon, 22 Nov 2004, Santanu Das wrote:
> We are suspecting that one of our WNs may have been compromised by a
> wide-scale ssh probe on Sat from a Taiwanese host, 192.192.73.5. The
> "bad" WN has been seen probing outside of our cambridge domain for ssh.
> I can't log in as root on that WN now. I changed the password-cfg.h on
> LCFG and remake the profile for that particular node but still I can't
> use that new password on that "bad" WN. I don't want to reboot that WN
> just now. Any idea how can I change the password on that compromised WN
> or how can I log in without rebooting the node?
If the node has really been compromised, you'd probably really reboot it
(probably to singleuser mode, or just boot it from CD and inspect data on
WN's harddrive), because you can't trust anything there.
But anyway, to your question - if there would be a way how to login as a
root to machine which (for any reason) doesn't allow you to login as root,
then the machine is by definition vulnerable and there is nothing strange
on the fact you have been hacked :)
So if you for example have not upgraded your kernel, you should be able to
login as normal user, exploit the vulnerability and get a rootshell.
:)
--
Jiri Kosina
Institute of Physics, Academy of sciences of the Czech Republic
|