How to determine if somebody change the password?

mnemonics
mnemonics used Ask the Experts™
on
hi,

i have an enterprise 250 server running solaris 8.

few days ago, i recieve a complaint that no user can login. not even root.

ive read the password recovery solutions posted and havent tried it yet. before doing so, i also need to know if someone intensionally change the passwords.

thanks in advance.

nb.

newbie in unix.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
IF you know when you last accessed the /etc/shadow you can try ls -l and see the modification time.

Better yet, take the passwd file from the backup and compare to the /etc/shadowfile you have now.

To be safe, pull the ethernet cable to the system while you are hacking.

So, boot it with the CD ( boot cdrom -s )
mount the old rootfs ( mount /dev/dsk/c0t0d0s0 /a )
read back the old /etc/shadow in /a/var/tmp
and compare them.

If someone has compromised your system he/she has most likley added an account or put an SUID-bit on a shell
to get root access in the future. Check this with
find /a -perm 4000 -print

HTH

Author

Commented:
hi besky,

i also am looking at the posibility that somebody from our organization, who knows the original root password, changed the users and root passwords.

aside from doing ls -l, is there any log file or files that might have recorded the things that the last user,who used root, had done?

:)

Commented:
No, not if you dont have configuered that explicit.

If you suspect someone from the inside I recommend you
lock the system down.
That is, Make sure that /etc/default/login has the line
CONSOLE=/dev/console
This prevents root logins from any other place than the console.
Check also the ftpusers file so it starts with "root" to
prevent anyone replacing files from the outside.

Now create the file /etc/nologin, this will prevent all users except root from logging in on your system.

Boot from CD, mount and remove the root passwd from /a/etc/shadow, umount and do a boot -s.

Now your system is up but not accessible to anyone but you.


You wrote that not a single user could login, how many is that ?

If it is a large number, its not likley that someone has
changed everybodys passwds if someone want to destroy or vandalize your system there is a lot more easier way to do that.

More likley is that someone screwed something up by misstake, maybe corrupting the /etc/passwd or /etc/shadow.

But you will see when you boot it up.

HTH

Author

Commented:
thanks alot for a very quick and insigthful answers...

:-)

Commented:
OK, thanks and good luck.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial