CENTOS 6.2 atd FAILED

General support questions
cleetusantony
Posts: 17
Joined: 2017/11/22 05:13:39

Re: CENTOS 6.2 atd FAILED

Post by cleetusantony » 2017/11/25 10:42:47

Hi All,

Managed to take out the data from the system.
Thank you all who helped me.

Cheers
Cleetus

cleetusantony
Posts: 17
Joined: 2017/11/22 05:13:39

Re: CENTOS 6.2 atd FAILED

Post by cleetusantony » 2017/11/26 04:41:42

TrevorH wrote:Does /etc/passwd exist? If it doesn't, can you add one with the contents

root:x:0:0:root:/root:/bin/bash

then chmod it 644. See if any other /etc/passwd* files exist that could be used to copy back an older version.

From single user mode you can attach a USB drive and copy off any data that is essential

I didnt try it yet as I was anxious about data and I managed to take thru single user mode by attaching USB drive.

Can I ask how reliable is CentOS 7 Server as You advised me earlier to install 6.9 ?

Regards
Cleetus

User avatar
TrevorH
Forum Moderator
Posts: 22979
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CENTOS 6.2 atd FAILED

Post by TrevorH » 2017/11/26 07:37:06

CentOS 7 seems reliable to me but it's more of an upgrade from the 6 you're on now. It's probably where you want to end up in the end though so perhaps worth doing now if you have to start over anyway.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

cleetusantony
Posts: 17
Joined: 2017/11/22 05:13:39

Re: CENTOS 6.2 atd FAILED

Post by cleetusantony » 2017/11/26 10:30:40

Thank you Trevor

Regards
Cleetus

cleetusantony
Posts: 17
Joined: 2017/11/22 05:13:39

Re: CENTOS 6.2 atd FAILED

Post by cleetusantony » 2017/11/30 12:32:57

TrevorH wrote:Does /etc/passwd exist? If it doesn't, can you add one with the contents

root:x:0:0:root:/root:/bin/bash

then chmod it 644. See if any other /etc/passwd* files exist that could be used to copy back an older version.

From single user mode you can attach a USB drive and copy off any data that is essential


There is no line for root in the passwd file
The first line is
firefart:fiHc5MTu2PhIc:0:0:pwned:/root:/bin/bash

Is it thats why I am geting firefart login in single user mode instead of root ?

after putting this root:x:0:0:root:/root:/bin/bash, please tell me wats the step to Chmod it ?
Do I need to delete the firefart line from passwd file ?
Will that fix the root login issue ?

stevemowbray
Posts: 377
Joined: 2012/06/26 14:20:47

Re: CENTOS 6.2 atd FAILED

Post by stevemowbray » 2017/11/30 12:58:01

That indicates you have an intruder. You can't trust anything on the system once the machine has been owned. You need to reinstall and make sure you've updated and secured everything and then put back your data.

User avatar
TrevorH
Forum Moderator
Posts: 22979
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CENTOS 6.2 atd FAILED

Post by TrevorH » 2017/11/30 13:18:56

In case that wasn't plain: your machine has been compromised and is no longer yours. You cannot safely recover from this situation without reinstalling. You should back up your data, examine it carefully for signs of compromise, reformat and reinstall the machine and then restore your data and reinstall your apps.

It's not certain but it's a good chance that it was compromised because it was so old. Please make sure you yum update to date so that all known compromise vectors are closed off.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

stevemowbray
Posts: 377
Joined: 2012/06/26 14:20:47

Re: CENTOS 6.2 atd FAILED

Post by stevemowbray » 2017/11/30 15:14:39

Also given that passwd file line I'd say it was probably "Dirty COW" that was exploited using this:

https://www.exploit-db.com/exploits/40839/

That vulnerability was fixed a long time ago on systems which receive updates.

cleetusantony
Posts: 17
Joined: 2017/11/22 05:13:39

Re: CENTOS 6.2 atd FAILED

Post by cleetusantony » 2017/12/03 05:19:54

Thank you Trevor and Steve

Can you tell me what are the measures we can take to not happen this kind of attack ?

Regards
Cleetus

Whoever
Posts: 1012
Joined: 2013/09/06 03:12:10

Re: CENTOS 6.2 atd FAILED

Post by Whoever » 2017/12/03 21:52:37

cleetusantony wrote:Thank you Trevor and Steve

Can you tell me what are the measures we can take to not happen this kind of attack ?

Regards
Cleetus
Start by keeping your system up to date.

Post Reply