/bin/login corrupted. HELP !!!

/bin/login corrupted. HELP !!!

Post by gg » Sun, 15 Nov 1998 04:00:00



Hi,

one of my PPro box, RedHat 4.2 kernel 2.0.35 has been attacked.
The /bin/login file was replaced with some other stuff. A sniffer I suppose.
So, I ftped a copy of /bin/login from a different box (same RedHat and
kernel versions)
from another box. However, I was damned stupid to not chmod the ftped login
file.
Now, I can't login anymore in my box. Actually, I think the problem is
/bin/login, because I also changed some other protections according to
suggestions from the tiger package.

This is the output of       rsh locked.box ls -l /bin/login
-rw-r--r--   1 root     0           18732 Nov 13 20:07 /bin/login

How can I log into the box again ??? Any sort of "rescue" procedure ? Should
I try to "upgrade" the box starting from bootdisk images etc etc ?

Tools I have at disposal.

Original InfoMagic CDs with RedHat 4.2
No DOS partitions at all.
Another box IDENTICAL to the "locked" one (I could extract the HD from the
"locked" box, mount it on the "working" box, replace the /bin/login file and
put the HD back in the "locked" box... however seems weird)

Any help is GREATLY appreciated....
Please, reply to me because I'm not subscribed to the list.

Luigi

Luigi Cavallo
Dept. of Chemistry
Univ. of Naples
Naples ITALY