Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Intruder Alert???

90 views
Skip to first unread message

Michelle vanSkyock

unread,
Nov 16, 1994, 9:56:33 AM11/16/94
to

Hi again.

Last night I nearly had our HP system set up, when suddenly this error
appeared everytime a non-root user logs in. Here's the scoop.

We have a script that will install testing users & set up their home
directories. I used it to create myself as a user. Included in the
.login files is the line setenv USER `whoami`

My userid worked perfectly. I created a handful more, and now when I
log in as *any* user (except root), I get the following message
immediately:

`whoami`: Ambiguous.
Intruder alert.@moe>

If I try to find out who it thinks I am, I get:

Intruder alert.@moe> whoami
Intruder alert.
Intruder alert.@moe> who am i
exumrv pty/ttys0 Nov 16 08:47
Intruder alert.@moe> cd ~
/users/exumrv


Anybody got a clue why this suddenly showed up? Where is my
intruder?!

Waiting on pins & needles,
Michelle :^)

PS - Could it be because some user have the same password?

___________________________________________________________________
Michelle R. vanSkyock Ericsson North America
Software Engineer Conquest is easy. Richardson, TX
Control is not.
-- Captain Kirk, StarTrek


Christopher Wargaski

unread,
Nov 16, 1994, 1:25:07 PM11/16/94
to
In <3ad6j1$k...@cnn.exu.ericsson.se> exu...@exu.ericsson.se (Michelle vanSkyock) writes:


>We have a script that will install testing users & set up their home
>directories. I used it to create myself as a user. Included in the
> .login files is the line setenv USER `whoami`

Why not get this information from the shell? Or are you running a custom
built shell?


>Anybody got a clue why this suddenly showed up? Where is my
>intruder?!

Wow, that is a new one, I would suggest -- if yor are using a standard
shell -- grabbing the id from it. Start there, and see if you get the
intruder message. If so, then post again.

>Waiting on pins & needles,
>Michelle :^)

>PS - Could it be because some user have the same password?

No, remember a salt (based upon the time of day) is used in password
encryption, so any two passwords that are the exact same in un-encrypted
clear text will have different encryptions given that they were encrypted
at different times. The chances of that are pretty high too! ;-)

cjw

>___________________________________________________________________
>Michelle R. vanSkyock Ericsson North America
>Software Engineer Conquest is easy. Richardson, TX
> Control is not.
> -- Captain Kirk, StarTrek


--

Christopher Wargaski
c...@nwu.edu

Bob Campbell

unread,
Nov 16, 1994, 7:00:27 PM11/16/94
to
Michelle vanSkyock (exu...@exu.ericsson.se) wrote:

: Anybody got a clue why this suddenly showed up? Where is my
: intruder?!

This is one of my favorite messages. "Intruder alert." is generated
when a user is logged onto the system with a uid that is not found in
/etc/passwd.

As an example:

hpcoex03(5)-> whoami
foobar
hpcoex03(6)-> who am i
foobar ttyp6 Nov 16 15:56
hpcoex03(7)-> id
uid=123(foobar) gid=20(users)

### At this point, I edit /etc/passwd and remove foobar while remaining
### logged on to the system.

hpcoex03(8)-> whoami
Intruder alert.
hpcoex03(9)-> who am i
foobar ttyp6 Nov 16 15:56
hpcoex03(10)-> id
uid=666() gid=20(users)
---------------------------------------------------------------------------
Bob Campbell Some times I wish that I could stop you from
camp...@cup.hp.com talking, when I hear the silly things you say.
Hewlett Packard - Elvis Costello

Michelle vanSkyock

unread,
Nov 17, 1994, 9:54:58 AM11/17/94
to
In article E...@cup.hp.com, camp...@cup.hp.com (Bob Campbell) writes:
>Michelle vanSkyock (exu...@exu.ericsson.se) wrote:
>
>: Anybody got a clue why this suddenly showed up? Where is my
>: intruder?!
>
>This is one of my favorite messages. "Intruder alert." is generated
>when a user is logged onto the system with a uid that is not found in
>/etc/passwd.
>
>As an example:
[chop]

As I found out, it's also the message one gets when the user doesn't
have read access to the passwd file. :-O

Cheers,
Michelle :^)

Terry Yip

unread,
Nov 17, 1994, 9:38:21 AM11/17/94
to
In article <3ad6j1$k...@cnn.exu.ericsson.se> you write:
>
> log in as *any* user (except root), I get the following message
> immediately:
>
> `whoami`: Ambiguous.
> Intruder alert.@moe>
>
> If I try to find out who it thinks I am, I get:
>
> Intruder alert.@moe> whoami
> Intruder alert.
> Intruder alert.@moe> who am i
> exumrv pty/ttys0 Nov 16 08:47
> Intruder alert.@moe> cd ~
> /users/exumrv
>

The 'whoami' program uses the current uid (or is it euid; I can't
remember) and tries to lookup its
matching username in the password file
( via getpwuid(uid) or something similar ). When the call
fails i.e. when there is no entry with that uid, its does
not know what the username is and so puts 'Intruder alert'
instead.

As for 'who am i' that just looks at the file /etc/utmp which is
filled in by the 'login' program.

Having given you the background info you can deduce the rest...

Oh... alright ...
Whats happened is the password file is ok when the user is
logging in, but between that time and the 'whoami', the
password file entry for that user gets corrupted or removed.
by a another root user say.

To find out which entry or if it has been removed do this :-
csh> whoami
Intruder alert.
csh> rm -f junk
csh> touch junk
csh> ls -l junk
-rw-r----- 1 1234 sys 0 Nov 16 11:09 junk
csh> grep 1234 /etc/passwd

>
> PS - Could it be because some user have the same password?
>

No.

Hope it helps.

PS. One last point, amend text as appropriate if you are
using NIS passwd server.

--
Terry Yip. BNR Europe Ltd, London, England.
T....@bnr.co.uk
The opinions expressed here are not mine, even if I said they were.
The opinions expressed here are not BNRs, even if I said they were.
The opinions expressed here are not anybodies, even if I said they were.

John Pezzano

unread,
Nov 17, 1994, 9:33:53 AM11/17/94
to
Michelle vanSkyock (exu...@exu.ericsson.se) wrote:

: Last night I nearly had our HP system set up, when suddenly this error


: appeared everytime a non-root user logs in. Here's the scoop.

: We have a script that will install testing users & set up their home
: directories. I used it to create myself as a user. Included in the
: .login files is the line setenv USER `whoami`

: My userid worked perfectly. I created a handful more, and now when I
: log in as *any* user (except root), I get the following message
: immediately:

: `whoami`: Ambiguous.
: Intruder alert.@moe>

: If I try to find out who it thinks I am, I get:

: Intruder alert.@moe> whoami
: Intruder alert.
: Intruder alert.@moe> who am i
: exumrv pty/ttys0 Nov 16 08:47
: Intruder alert.@moe> cd ~
: /users/exumrv


: Anybody got a clue why this suddenly showed up? Where is my
: intruder?!

You password file is likely corrupt or inaccessable. Check it with pwck.
Check permissions.

Scary message, isn't it. Problem is that user who is logged on can't be
found in password file.

--
johnP
John Pezzano, HP NARC
Email: jo...@hpuerca.atl.hp.com

Charlie Brett

unread,
Nov 17, 1994, 3:04:03 PM11/17/94
to
: Anybody got a clue why this suddenly showed up? Where is my
: intruder?!

This message is generated when you remove a user ID from /etc/passwd
while the user is logged in. Are you doing a setuid to a non-existant
user at login? After logging in as a user, type id and check to see
if there euid is set. Check the permissions and ownership of the login
shell.

: Waiting on pins & needles,
: Michelle :^)

: PS - Could it be because some user have the same password?

Nope.


Charlie Brett - HP Ft. Collins
My opinions are my own and in no way represent Hewlett Packard.

Ron Kittle

unread,
Nov 17, 1994, 4:26:38 PM11/17/94
to
Michelle vanSkyock (exu...@exu.ericsson.se) wrote:

: Last night I nearly had our HP system set up, when suddenly this error


: appeared everytime a non-root user logs in. Here's the scoop.

: Intruder alert.@moe> whoami
: Intruder alert.

Most likely, the permissions on /etc/passwd are wrong.

The 'whoami' program prints "Intruder alert." if it can't find the
user id in the passwd file. This can happen if /etc/passwd is not
readable, or if the user id has been removed from /etc/passwd.
Since users can log in, that would indicate that their passwd entries
are in /etc/passwd.

The login process runs as root, so it can read /etc/passwd, and
allows users to login. However, the 'whoami' program is run as
a regular user, which wouldn't be able to read /etc/passwd.

Ron

Thomas V. Myers

unread,
Nov 21, 1994, 8:01:27 PM11/21/94
to

Another way it can happen (and at our site it often does) is if you are using
the Passwd/Etc product. If network traffic is high or your registry
server(s) are Very Busy, the user is alolowed to login, but when whoami tries
to resolve the user's name, no registry server responds in time. Talk about
fudging up somebody's login. VUE tends to get pretty annoyed when this
happens.

Cheers, Tom
--
Tom Myers, Network Manager; IC Design Center, P.O. Box 9005, M/S D18
Delco Electronics Corporation, Kokomo IN, 46904-9005
E-Mail: tvm...@icdc.delcoelect.com Voice:(317)451-3051 GM: 8-322-3051

Mike D. Resnick

unread,
Nov 23, 1994, 10:12:08 AM11/23/94
to
To: exu...@exu.ericsson.se
Subject: Re: Intruder Alert???
Newsgroups: comp.sys.hp.hpux
In-Reply-To: <3ad6j1$k...@cnn.exu.ericsson.se>
Organization: Northrop Grumman Information Services Center, Hawthorne, CA
NNTP-Posting-Host: s16a03.exu.ericsson.se

>Hi again.
>
>Last night I nearly had our HP system set up, when suddenly this error
>appeared everytime a non-root user logs in. Here's the scoop.

>directories. I used it to create myself as a user. Included in the
> .login files is the line setenv USER `whoami`
>
>My userid worked perfectly. I created a handful more, and now when I
>log in as *any* user (except root), I get the following message
>immediately:
>
>`whoami`: Ambiguous.
>Intruder alert.@moe>
>
>If I try to find out who it thinks I am, I get:
>
>Intruder alert.@moe> whoami
>Intruder alert.
>Intruder alert.@moe> who am i
>exumrv pty/ttys0 Nov 16 08:47
>Intruder alert.@moe> cd ~
>/users/exumrv
>
>
>Anybody got a clue why this suddenly showed up? Where is my
>intruder?!
>
>Waiting on pins & needles,
>Michelle :^)
>
>PS - Could it be because some user have the same password?
>
>___________________________________________________________________
>Michelle R. vanSkyock Ericsson North America
>Software Engineer Conquest is easy. Richardson, TX
> Control is not.
> -- Captain Kirk, StarTrek

Here's some hints:
1) Have root create a user account. Login as that user (from another
window or term.) While the new user is logged in, have root remove
the user from the passwd file. Then issue the whoami command as the
new user.
2) Change the ownership of the passwd file to 440 (it should be 444) and
try the whoami command as any user other than root.

In both of the above cases, you should get the intruder alert message.
Your problem is probably due to number 2 above.

MR.
_ _
|\ | _ ._ _|_ |_ ._ _ ._ /__ ._ ._ _ ._ _ _.._ / _ ._ _
| \|(_)| |_ | || (_)|_) \_| | |_|| | || | |(_|| | \_(_)| |_).
/--------------------------|---.----------------------------------|----------\
| Michael D. Resnick | mres...@world.nad.northrop.com |
| Northrop Grumman Corporation | Voice: 310.332.7807 |
| Military Aircraft - ILS LIS | Fax: 310.332.7816 |
| One Northrop Ave. 2555/W6 |---------------------------------------------|
| Hawthorne, CA 90250 | "Someday I'll quote myself and put it here" |
\------------------------------^---------------------------------------------/

0 new messages