on Fri, Dec 19, 2003 at 05:25:13PM +1100, Patrick Lesslie (patricklesslie@iinet.net.au) wrote:
> On Fri, Dec 19, 2003 at 02:12:48PM +1100, Patrick Lesslie wrote:
> > I'm having trouble logging into tty1-tty6.
> >
> > I get a prompt, put in my username and hit enter, and then
> > it hangs for 10 seconds without asking for a password,
> > and brings up another login prompt.
>
> Having done a bit more research, I'm upgrading "util-linux" and the
> aptly named "login" to sarge (some things were already there ;).
> However apt-get install login fails like this:
>
> ...
> Unpacking replacement login ...
> dpkg: error processing /var/cache/apt/archives/login_1%3a4.0.3-12_i386.deb (--unpack):
> unable to make backup link of `./bin/login' before installing new version: Operation not permitted
> Errors were encountered while processing:
> /var/cache/apt/archives/login_1%3a4.0.3-12_i386.deb
> E: Sub-process /usr/bin/dpkg returned an error code (1)
>
> I'm root, and I'm not sure why this is failing.
I smell a system compromise.
First try 'lsattr /bin/login'. Check that the partition is mounted
writable.
Look at your process table -- 'cd /proc; echo *' or 'cd /proc; ls <tab>'
should show you what's available. Treat with suspicion any process IDs
which persistantly appear in output of one or the other of those
actions, but not in 'ps ux' output.
Better: Immediately disconnect your system from network and boot known
good media: a rescue disk, LNX-BBC, Damn Small Linux, Knoppix,
tomsrtbt, etc. Compare /bin/login vs. md5sum from
/var/lib/dpkg/info/login.md5sums.
For additional tips:
http://www.wiggy.net/debian/developer-securing/
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Backgrounder on the Caldera/SCO vs. IBM and Linux dispute.
http://sco.iwethey.org/
Attachment:
pgpHHiwIapss4.pgp
Description: PGP signature