passwd file corrupted

cantona7 · February 28, 2005, 12:52am

Good Day

Our HP box was hacked and the passwd file has been altered,there are only 2 user accounts active,and these dont have any administrative rights.I need to edit the passwd file to correct the su and root entries.
Does any body have any suggestions as to how i can do this with out the root account (maybe a "live cd" to edit the files??)

Thank you

hdohdo · February 28, 2005, 5:37am

If you have a recovery tape, this would now be usefull. Boot from the tape and restore the passwd file, then boot again.

cantona7 · February 28, 2005, 6:27am

Thx for the reply, but this is where my problems start.

Firstly i try a tape recovery,once it gets to a point where i can select the files to recover it fails ie
ERROR : Tar: blocksize =0;broken pipe
ERROR: File: /usr/ccs not found
ERROR: file: /usr/obam not found and it carries on with further errors

Secondly i try a DVD recovery and boot from the DVD,but when i try to load files and dependencies, it tells me the file system is full.
That is I try to edit the passwd file , vi isnt loaded, so I add the file to the list and it trys to add the files to the system so i can edit the passwd file.But returns an error that the file system is full, so basically i am $##@@ right now.

So i was thinking of another tool that i could use to edit the passwd file ?

Perderabo · February 28, 2005, 7:55am

Use the shell itself to edit the passwd file:
echo "fixup::0:0::/:/usr/bin/ksh" >> /etc/passwd
then reboot and login as fixup to finish the job.

Also this link may be helpful: Expert Recovery Using the Core Media

cantona7 · March 1, 2005, 1:49am

Thx, I logged in a as the SU and edited the /etc/passwd

cheers

Perderabo · March 1, 2005, 5:34am

So use:
echo "fixup::0:0::/:/usr/bin/ksh" >> /mnt/etc/passwd

or whatever. Your post implied that lack of vi was your problem. This sidesteps that.

jospap · March 17, 2005, 7:43pm

Hi,

I am having the same problems with my root password. I reset it. I tested it in another shell and had no problems. It worked great.

Now it doesn't. I've tried rebooting in the off chance that would reset something, but no luck. The weird thing is that I changed the passwords for other users as well and have acheived the same results.

I have tried logging in via single user mode, but after i get to the ISL prompt and type "hpux -is", I am prompted for a username and password.

Any suggestions are greatly appeciated. Thanks In Advance.

Perderabo · March 17, 2005, 8:07pm

I have never seen behavior like that. What version of HP-UX are you running? Was it in C2 security mode? After "hpux -is", does the system boot up? What kind of username prompt do you get...a standard login prompt? What kind of hardware are you running on?

At the isl prompt, type "lsa" and post the results.

jospap · March 17, 2005, 8:39pm

Thanks for the help. Here's the answers to your questions.

HP-UX 10.20
I don't know what C2 security mode is.
The system does boot up.
I'm not sure what you mean by standard login prompt, but the login prompt I get is plain text:

Boot Authentication:

Please enter your login name:
Password:
Authentication incorrect.

HP C3600

At the ISL prompt I get this:

ISL>lsa

Auto-execute file contains:
hpux

Perderabo · March 17, 2005, 10:02pm

C2 refers to a level of trusted systems. I believe that you may actually be running a B level version of HP-UX which has military grade security features. I have some experience with 10.0 at C2 and it didn't behave like your system is. I'm not sure how much I can help you, but I do have a couple of ideas.

What does "The weird thing is that I changed the passwords for other users as well and have acheived the same results." mean? That these accounts are also screwed up? Can you login as any user?

There is a problem that you may have stumbled into: according to the termio man page, the default ERASE character is # and the default KILL character is @. There are ways to change these defaults, but unless you did, neither character will be a reasonable choice for use in a password. In a shell where you have changed your ERASE and KILL characters, they will work with the su command. But they won't work with a login prompt. If this is your problem, you may be able to login as an ordinary user, change your ERASE and KILL characters, and then su to root. You might give this a try.

jospap · March 21, 2005, 2:06pm

perderabo:

C2 refers to a level of trusted systems. I believe that you may actually be running a B level version of HP-UX which has military grade security features. I have some experience with 10.0 at C2 and it didn't behave like your system is. I'm not sure how much I can help you, but I do have a couple of ideas.

What does "The weird thing is that I changed the passwords for other users as well and have acheived the same results." mean? That these accounts are also screwed up? Can you login as any user?

There is a problem that you may have stumbled into: according to the termio man page, the default ERASE character is # and the default KILL character is @. There are ways to change these defaults, but unless you did, neither character will be a reasonable choice for use in a password. In a shell where you have changed your ERASE and KILL characters, they will work with the su command. But they won't work with a login prompt. If this is your problem, you may be able to login as an ordinary user, change your ERASE and KILL characters, and then su to root. You might give this a try.

This sounds like my systems.

I was doing a password reset for all my users. I tested the accounts multiple times, but none of them work. I cannot login to the workstation from the login prompt with any user acct. I think I am screwed.

The termino issue sounds like it may have a hand in the problem, as my root does have those characters in it, but my users do not.

Oh well, thanks for the help.