Re: Virus in linux????????

["Rahul Jindal" <rahulj@xxxxxxxxxxxxxx>]

Hi nick, thanks for the reply,

i did check up /etc/passwd and the shell for root is /bin/bash.

what next?

Regards
Rahul

----- Original Message -----
From: "Nick Hill" <nikhilwiz@xxxxxxxxx>
To: <linux-india-programmers@xxxxxxxxxxxxxxxxxxxxx>
Sent: Monday, January 15, 2001 6:32 PM
Subject: Re: [LIP] Virus in linux????????


> On Sat, Jan 13, 2001 at 01:23:42PM +0530, Rahul Jindal wrote:
> >     IF THE PASSWORD IS THE SAME AS THE ADMIN HAD SET IT - THE SCREEN
WOULD
> > SIMPLY CLEAR, WITHOUT GIVING ANY MESSAGE.
>
> u're shell is fscked, or someone put /bin/nologin as r00t's shell. check
> up /etc/passwd.
>
> > 2. IF WE TRY TO RESTART THE COMPUTER BY DOING THE FOLLOWING
> >         A) PRESS CTRL-ALT-DELETE
> >         B) reboot
> >         C) SHUTDOWN -H 0
> > THE FOLLOWING MESSAGE APPEARS
> >
> > "You don't exist anyway. Go away".
> >
>
> this is a standard message for nonexistant users. maybe someone messed
> around with u're /etc/passwd, and got to delete r00t. since shutdown and
> co. run with r00t privileges, when there's a setuid to r00t, the process
> cannot get its owner's pid/gid, as there's nowhere to look; /etc/passwd
> being the standard place to look, now not withstanding.
>
> > What is this going on?
>
> aw... this is not a virus. someone just screwed u're system in a major
> way, when practicing commands. maybe someone just scrapped u're shell.
> maybe its overtime to keep in mind that Operating As R00T Is Evil (tm).
> atleast u dont get to change stuff u're not ought to.
>
> Nikhil.
>
>
> ---------------------------------------------
> An alpha version of a web based tool to manage
> your subscription with this mailing list is at
> http://lists.linux-india.org/cgi-bin/mj_wwwusr
>