hi all,
Sorry for the late summary...
Actually the problem was not related to any attack..Some of the scripts in
the /etc/rc3.d directory had the problem. I just added the line "chmod 622
/dev/console" in the scripts before it starts echoing anything to the
console and it all worked properly.
I sincerely thank all those respondents..
cheers
ram
> >
> > hi all,
> >
> > exactly the simillar thing happened on our server too, today just a
few
> > minutes ago..
> >
> > I still have the problem, and Openwindows does not start on the
console..!!
> >
> > here is the output of both /etc/logindevperm and ldd /bin/login.
> >
> > Script started on Wed Jul 28 13:25:23 1999
> > # cat etc/logindevperm
> > #
> > # Copyright 1996, by Sun Microsystems, Inc.
> > #
> > #ident "@(#)logindevperm 1.3 96/07/31 SMI"
> > #
> > # /etc/logindevperm - login-based device permissions
> > #
> > # If the user is logging in on a device specified in the "console"
field
> > # of any entry in this file, the owner/group of the devices listed in
the
> > # "devices" field will be set to that of the user. Similarly, the mode
> > # will be set to the mode specified in the "mode" field.
> > #
> > # "devices" is a colon-separated list of device names. A device name
> > # ending in "/*", such as "/dev/fbs/*", specifies all entries (except
"."
> > # and "..") in a directory. A '#' begins a comment and may appear
> > # anywhere in an entry.
> > #
> > # console mode devices
> > #
> > /dev/console 0600 /dev/mouse:/dev/kbd
> > /dev/console 0600 /dev/sound/* # audio devices
> > /dev/console 0600 /dev/fbs/* # frame buffers
> > /dev/console 0600 /dev/rtvc0 # nachos capture device
0
> > /dev/console 0400 /dev/rtvcctl0 # nachos control device
0
> > /dev/console 0600 /dev/rtvc1 # nachos capture device
1
> > /dev/console 0400 /dev/rtvcctl1 # nachos control device
1
> > /dev/console 0600 /dev/rtvc2 # nachos capture device
2
> > /dev/console 0400 /dev/rtvcctl2 # nachos control device
2
> > /dev/console 0600 /dev/rtvc3 # nachos capture device
3
> > /dev/console 0400 /dev/rtvcctl3 # nachos control device
3
> > /dev/console 0600 /dev/rtvc4 # nachos capture device
4
> > /dev/console 0400 /dev/rtvcctl4 # nachos control device
4
> > /dev/console 0600 /dev/rtvc5 # nachos capture device
5
> > /dev/console 0400 /dev/rtvcctl5 # nachos control device
5
> > /dev/console 0600 /dev/rtvc6 # nachos capture device
6
> > /dev/console 0400 /dev/rtvcctl6 # nachos control device
6
> > /dev/console 0600 /dev/rtvc7 # nachos capture device
7
> > /dev/console 0400 /dev/rtvcctl7 # nachos control device
7
> > # ls -l /de etc/logindevperm
> > -rw-r--r-- 1 root sys 1988 Jul 21 09:23 /etc/logindevperm
> > #
> > # ldd /bin/login
> > libbsm.so.1 => /usr/lib/libbsm.so.1
> > libsocket.so.1 => /usr/lib/libsocket.so.1
> > libnsl.so.1 => /usr/lib/libnsl.so.1
> > libdl.so.1 => /usr/lib/libdl.so.1
> > libpam.so.1 => /usr/lib/libpam.so.1
> > libc.so.1 => /usr/lib/libc.so.1
> > libmp.so.2 => /usr/lib/libmp.so.2
> > #
> >
> > I am not able to figure out what is wrong and where..
> >
> > any help will be appreciated...
> >
> > I will summarise
> >
> > cheers
> > ram
> >
> >
> > On Tue, 27 Jul 1999 14:10:35 -0700, System Administrator wrote:
> >
> > > On Sat. July 24th, in the wee morning hours, one of our machines was
> > > compromised. The perpetrator installed a backdoor login in
/bin/login,
> > > and managed to "muck up" the system by installing their own versions
> > > of /etc/inetd.conf, creating a /dev/portb directory in which they
> > > had a modified version of le, and maintained a log called "nohup.out"
> > > in that same directory.
> > >
> > > I haven't found any other problems yet, but we're still searching
> > > for any other mods they might have made. We were "tipped off" that
> > > things were not right when we tried to log in to the machine and
> > > OpenWindows failed to start, giving us "/dev/fb: Permission denied"
> > > errors.
> > >
> > > Casper Dik replied (almost immediately) to my request for info on the
> > > above, and he hit the nail on the head:
> > >
> > > >We discovered yesterday that only root can start OpenWindows on one
of
> > our
> > > >SPARCs - other users get "/dev/fb: Permission denied" and "Graphics
> > > >Adapter device /dev/fb is of unknown type". Strange because it
worked
> > > >fine a couple of days ago.
> > > >
> > > >I suspect it may be one of the new patches we just installed last
> > Friday -
> > > >the Y2K Patch Cluster for Solaris 2.4. Anybody seen a similar
error,
> > and
> > > >if so did you find a correlation with the installation of a
specific
> > > >patch or patches? I've manually examined permissions on what I
believe
> > > >are the key files and devices, and nothing looks wrong.
> > > >
> > > >The Y2K patch cluster was also installed on 7 other machines at
about
> > > >the same time, and so far none of them are displaying this
problem...
> > > >
> > > >Thanks for any advice you might have,
> > >
> > >
> > > Check /etc/logindevperm; it should contain
> > >
> > > /dev/console 0600 /dev/mouse:/dev/kbd
> > > /dev/console 0600 /dev/sound/* # audio devices
> > > /dev/console 0600 /dev/fbs/* # frame buffers
> > >
> > >
> > > Also, it is possible that someone installed a backdoor login; one
in
> > > general use has this exact symptom; you can check with ldd
/bin/login.
> > >
> > > If it shows "/usr/ucblib/libucb.so.1", you have a problem.
> > >
> > > Casper
> > >
> > > We did the "ldd /bin/login" check above, and sure enough! Seems to be
> > > similar to the now infamous "bob" attack in that the perpetrator
tries
> > > to log TCP/IP info to/from the machine, almost certainly to try and
> > > catch plain-text passwords.
> > >
> > > Keep an eye out for this!
> > >
> > >
> > > Matt Marlow
> >
> >
> >
> >
> >
> > ________________________________________________________________
> > Get FREE voicemail, fax and email at http://voicemail.excite.com
> > Talk online at http://voicechat.excite.com
> >
>
> ------------------------------------------------------------------------
> SANDEEP.V.PANDIT. spandit@ssd1.utmem.edu
>
> School of Biomedical Engg. RESIDENCE:
> University of Tennessee, 790,Madison Avenue,
> 899 Madison Avenue, suite801, box # 241, Memphis,
> Memphis,TN,USA. TN-38103, USA.
> PH: (901)448-1497 FAX: (901)448-1495. PH: (901)448-8702.
> -------------------------------------------------------------------------
>
________________________________________________________________
Get FREE voicemail, fax and email at http://voicemail.excite.com
Talk online at http://voicechat.excite.com
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:24 CDT