Dear Concerns,
I would like to share a very strange problem. I am from Pakistan/Islamabad. Last month i was on trainning from Askari Bank Limited (Juniper). Here in Askari i m running NMS--> MRTGs using CentOs 4.4. On trainning i recieved a call from collique saying
"when i "su -l" NMS says "root user doesnot exist". and also MRTGs not working. well i was amazed how was it possible. In the Evening i came back to office. I boot the machine in single user mode and type the command;
less /etc/passwd
here when i found that user root existed, but the only thing that was amazing is;
the spelling of root was changed from "root" to "R00t". i changed to "root" and every thing worked.
I want to ask, what is this, this doesnot seem a garbage value or nor corruption of passwd file. only showing someone changes this. Here we have bank private network, only two people have access for it me and another guy.
what are your opinions??????
Please also share your strange experience.
Regards,
Umair Shakil Askari bank Limited
On 12/09/2007, at 4:25 PM, umair shakil wrote:
Dear Concerns,
I would like to share a very strange problem. I am from Pakistan/ Islamabad. Last month i was on trainning from Askari Bank Limited (Juniper). Here in Askari i m running NMS--
MRTGs using CentOs 4.4. On trainning i recieved
a call from collique saying
"when i "su -l" NMS says "root user doesnot exist". and also MRTGs not working. well i was amazed how was it possible. In the Evening i came back to office. I boot the machine in single user mode and type the command;
less /etc/passwd
here when i found that user root existed, but the only thing that was amazing is;
the spelling of root was changed from "root" to "R00t". i changed to "root" and every thing worked.
I want to ask, what is this, this doesnot seem a garbage value or nor corruption of passwd file. only showing someone changes this. Here we have bank private network, only two people have access for it me and another guy.
what are your opinions??????
This is usually done to change the root account name to something else. This is most often done for security - as most hacking attempts use the username root. Changing this to something else means that all those attempts would fail. As long as the UID is set to 0, most system things won't care that the user root is now known as R00t.
-- Steven Haigh
Email: netwiz@crc.id.au Web: http://www.crc.id.au Phone: (03) 9017 0597 - 0412 935 897
Somebody in the thread at some point said:
the spelling of root was changed from "root" to "R00t". i changed to "root" and every thing worked.
I want to ask, what is this, this doesnot seem a garbage value or nor corruption of passwd file. only showing someone changes this. Here we have bank private network, only two people have access for it me and another guy.
what are your opinions??????
I have seen vi do this action when it didn't understand a keycode on teh terminal you are using properly... change the case of a few letters next to the cursor. But IIRC that was busybox vi.
Is it crazy to propose someone opened /etc/passwd in vi, and saved it out without noticing this had happened?
-Andy
On Wed, Sep 12, 2007 at 09:24:57AM +0100, Andy Green wrote:
Somebody in the thread at some point said:
the spelling of root was changed from "root" to "R00t". i changed to
I have seen vi do this action when it didn't understand a keycode on teh terminal you are using properly... change the case of a few letters next to the cursor. But IIRC that was busybox vi.
What you saw was the act of the the ~ key, which changes case in vi. Now a lot of the extra keys have escape sequences ending in a ~ (eg ^[[14~ is F4 on some terminals). Now, if vi doesn't recognise these extended sequences as referring to a single key press, then it might treat it as the commands ESCAPE followed by [1 (probably won't do anything) followed by 4~ - ie it will change the case of the next 4 characters.
So if the OP saw "ROOT" (rather than "R00T") then this is a possibility for what happened.
Somebody in the thread at some point said:
On Wed, Sep 12, 2007 at 09:24:57AM +0100, Andy Green wrote:
Somebody in the thread at some point said:
the spelling of root was changed from "root" to "R00t". i changed to
I have seen vi do this action when it didn't understand a keycode on teh terminal you are using properly... change the case of a few letters next to the cursor. But IIRC that was busybox vi.
What you saw was the act of the the ~ key, which changes case in vi. Now a lot of the extra keys have escape sequences ending in a ~ (eg ^[[14~ is F4 on some terminals). Now, if vi doesn't recognise these extended sequences as referring to a single key press, then it might treat it as the commands ESCAPE followed by [1 (probably won't do anything) followed by 4~ - ie it will change the case of the next 4 characters.
Well thanks for the explanation... IIRC it was being provoked in my case rather annoyingly by Home and End that my fingers had gotten used to using.
-Andy
Dear,
"Is it crazy to propose someone opened /etc/passwd in vi, and saved it out without noticing this had happened?"
i would like to add, MRTGs were not updated as my collique logged in... MRTGs worked fine after that.... again few hours he logge in and then su - but problem raised.
Then please tell me spelling has changed.... Automatically:( Its is obvious that someone has changed it.
Regards,
Umair Shakil ETD
On 9/12/07, Andy Green andy@warmcat.com wrote:
Somebody in the thread at some point said:
the spelling of root was changed from "root" to "R00t". i changed to "root" and every thing worked.
I want to ask, what is this, this doesnot seem a garbage value or nor corruption of passwd file. only showing someone changes this. Here we have bank private network, only two people have access for it me and another guy.
what are your opinions??????
I have seen vi do this action when it didn't understand a keycode on teh terminal you are using properly... change the case of a few letters next to the cursor. But IIRC that was busybox vi.
Is it crazy to propose someone opened /etc/passwd in vi, and saved it out without noticing this had happened?
-Andy _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I have seen vi do this action when it didn't understand a keycode on teh terminal you are using properly... change the case of a few letters next to the cursor. But IIRC that was busybox vi.
Is it crazy to propose someone opened /etc/passwd in vi, and saved it out without noticing this had happened?
If you suspect your box has been rooted, then perhaps it is time to do some checking.
rpm -Va
Also, have you ever updated the box?
On Thu, Sep 13, 2007, Feizhou wrote:
I have seen vi do this action when it didn't understand a keycode on teh terminal you are using properly... change the case of a few letters next to the cursor. But IIRC that was busybox vi.
Is it crazy to propose someone opened /etc/passwd in vi, and saved it out without noticing this had happened?
If you suspect your box has been rooted, then perhaps it is time to do some checking.
rpm -Va
Unfortunately that isn't much use if you're running the default system with prelink as it changes large numbers of executables rendering the RPM verify close to useless.
Bill -- INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
The very powerful and the very stupid have one thing in common. Instead of altering their views to fit the facts, they alter the facts to fit their views ... which can be very uncomfortable if you happen to be one of the facts that needs altering. -- Doctor Who, "Face of Evil"
Bill Campbell wrote:
On Thu, Sep 13, 2007, Feizhou wrote:
I have seen vi do this action when it didn't understand a keycode on teh terminal you are using properly... change the case of a few letters next to the cursor. But IIRC that was busybox vi.
Is it crazy to propose someone opened /etc/passwd in vi, and saved it out without noticing this had happened?
If you suspect your box has been rooted, then perhaps it is time to do some checking.
rpm -Va
Unfortunately that isn't much use if you're running the default system with prelink as it changes large numbers of executables rendering the RPM verify close to useless.
Eh? I thought it can figure out prelink's activity too? Has something changed?
On Thu, 2007-09-13 at 07:22 +0800, Feizhou wrote:
Bill Campbell wrote:
On Thu, Sep 13, 2007, Feizhou wrote:
<snip>
Unfortunately that isn't much use if you're running the default system with prelink as it changes large numbers of executables rendering the RPM verify close to useless.
Eh? I thought it can figure out prelink's activity too? Has something changed?
Last time I experimented with this, RPM does understand. It "un- prelinks" files (to a temporary) and checks that size, IIRC. Unfortunately, it leaves some things around when rudely interrupted, rendering future (un)prelink and some other activities (I don't (care to :( ) recall all the details.
<snip sig stuff>
-- Bill
Bill Campbell wrote:
Unfortunately that isn't much use if you're running the default system with prelink as it changes large numbers of executables rendering the RPM verify close to useless.
unless you are using a very old version of rpm, prelink is not a problem
On Thu, Sep 13, 2007, Karanbir Singh wrote:
Bill Campbell wrote:
Unfortunately that isn't much use if you're running the default system with prelink as it changes large numbers of executables rendering the RPM verify close to useless.
unless you are using a very old version of rpm, prelink is not a problem
There are still a metric tonne of S.5... lines when doing ``rpm -V''
I just ran a script now that checks all packages on a fresh install of Centos 5, x86_64 with all updates applied. This should be pretty clean on a new install, but ``wc'' on the output returns ``45031 100197 2608718''. Over 45,000 lines of output is a bit much on a new system.
Running ``fgrep S.5 filename | grep '/usr/bin/' | wc'' returns 446 files that fail verification in just the /usr/bin directory.
This is on a system without prelink, and hasn't been up long enough for cron to have run it in any case. My guess is that it has something to do with the way CentOS handles 64 bit packaging. It appears that it's installing i386 and x86_64 versions of packages. ``rpm -qa | sort | uniq -c'' shows 337 packages with the duplicate names.
Bill -- INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
Government spending? I don't know what it's all about. I don't know any more about this thing than an economist does, and, God knows, he doesn't know much. -- Will Rogers
Bill Campbell wrote:
On Thu, Sep 13, 2007, Karanbir Singh wrote:
Bill Campbell wrote:
Unfortunately that isn't much use if you're running the default system with prelink as it changes large numbers of executables rendering the RPM verify close to useless.
unless you are using a very old version of rpm, prelink is not a problem
There are still a metric tonne of S.5... lines when doing ``rpm -V''
Yeah, a good number of my configuration files suffer from that. I wonder why.
I just ran a script now that checks all packages on a fresh install of Centos 5, x86_64 with all updates applied. This should be pretty clean on a new install, but ``wc'' on the output returns ``45031 100197 2608718''. Over 45,000 lines of output is a bit much on a new system.
I do not know about Centos 5, my system is Centos 4.
Running ``fgrep S.5 filename | grep '/usr/bin/' | wc'' returns 446 files that fail verification in just the /usr/bin directory.
'rpm -Va > verifycheck3' Then: fgrep S.5 verifycheck3 | grep '/usr/bin/' S.5....T /usr/bin/dltest S.5....T /usr/bin/isql S.5....T /usr/bin/iusql S.5....T /usr/bin/odbc_config S.5....T /usr/bin/odbcinst
That 446 would not happen to be last number from wc output would it? The above yields 144 characters, 10 words and 5 lines if piped into wc.
This is on a system without prelink, and hasn't been up long enough for cron to have run it in any case. My guess is that it has something to do with the way CentOS handles 64 bit packaging. It appears that it's installing i386 and x86_64 versions of packages. ``rpm -qa | sort | uniq -c'' shows 337 packages with the duplicate names.
The above was on a 64-bit system.
Bill Campbell wrote:
It appears that it's installing i386 and x86_64 versions of packages. ``rpm -qa | sort | uniq -c'' shows 337 packages with the duplicate names.
rpm based distributions have supported and handled multilib for a very long time. You might want to read up about that and how it works. if its not something you want, its easy to turn off and remove.
On Wed, 2007-09-12 at 16:12 -0700, Bill Campbell wrote:
On Thu, Sep 13, 2007, Feizhou wrote:
<snip>
Unfortunately that isn't much use if you're running the default system with prelink as it changes large numbers of executables rendering the RPM verify close to useless.
NAFAIK. See my reply to Feizhou's "Eh..." post.
Bill
<snip sig stuff>
-- Bill
Dear Feizhou Salam!!!
Well, when i first installed the machine its been alomost 9 months back, i updated the system using "yum update".
Regards,
Umair Shakil ETD
On 9/13/07, Feizhou feizhou@graffiti.net wrote:
I have seen vi do this action when it didn't understand a keycode on
teh
terminal you are using properly... change the case of a few letters
next
to the cursor. But IIRC that was busybox vi.
Is it crazy to propose someone opened /etc/passwd in vi, and saved it out without noticing this had happened?
If you suspect your box has been rooted, then perhaps it is time to do some checking.
rpm -Va
Also, have you ever updated the box? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Andy Green -
Bill Campbell -
Feizhou -
Karanbir Singh -
Stephen Harris -
Steven Haigh -
umair shakil -
William L. Maltby