[TCLUG] wierd rh8.0 behavior

Tue Dec 30 23:20:22 CST 2003

I would check the login files in /etc and the password files. If there is a
dup line in the login files or some kind of control character in the
password files or the profile / .profile this can create the second request.
In old Unix os's there were sometimes problems with the login which showed
up this way. If a change was made in the password recently or the profiles
were altered, there may have been something done to one of the files which
is telling it to reread/echo something or redo something. They can get lost
in the process. Do an env check after the login - this may give a clue to
the source. Check the trap and echos in the profile and may be doing an
extra echo. How about another login? Change something in the login -
password, $PATH, etc.
You can set up a capture or output of the input and screen echos for the
next log in. This may indicate where the extra line is coming from or when.
Thanks,
Tim Sinks
----- Original Message ----- 
From: "Erik Anderson" <erik at andersonfam.org>
To: <hoeff001 at umn.edu>; "TCLUG Mailing List" <tclug-list at mn-linux.org>
Sent: Tuesday, December 30, 2003 6:19 PM
Subject: Re: [TCLUG] wierd rh8.0 behavior

> Ed Hoeffner wrote:
>
> > Can you tell if the su file (/bin ?) has been changed? Years ago (I
imagine
> > people are too advanced for this now) a hacker would move login,
replacing
> > it with a script that did nothing more than look like login, trapping
the
> > password and doing something nefarious with it, show a login failure,
and
> > then call the real login to allow things to run normally.
> >
> > Probably has nothing to do with these days and times, but I thought I'd
toss
> > it out anyway.
>
> Good idea.  I checked and the md5sum of /bin/su matches agains a box
> that's behaving correctly.
>
> -Erik
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> http://www.mn-linux.org tclug-list at mn-linux.org
> https://mailman.real-time.com/mailman/listinfo/tclug-list
>

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list