LINK="#3366FF" VLINK="#A000A0">



[ Table Of Contents ][ Answer Guy Current Index ] greetings   bios   1   2   3   4   5   6   7   8   9   10   11   12 [ Index of Past Answers ]

(?) The Answer Gang (!)


By Jim Dennis, Ben Okopnik, Dan Wilder, Breen, Chris, and the Gang, the Editors of Linux Gazette... and You!
Send questions (or interesting answers) to tag@lists.linuxgazette.net

There is no guarantee that your questions here will ever be answered. Readers at confidential sites must provide permission to publish. However, you can be published anonymously - just let us know!


(?) Cannot Login Question

From Nancy Laemlein

Answered By Ben Okopnik

Hello,

I found my problem listed as http://linuxgazette.net/issue37/tag/46.html, but no solution.

I have been running RH6.2 kernel2.2.14-50 on I586, as two test servers.

Both have been running for one-two months. One morning I restarted both servers and then I encountered no normal user could successfully login. I could only login as root, or even more bizarre, as any user but using the root password.

(!) [Ben] Hm. I hate to jump to such an obvious conclusion, but that kind of behavior seems "man-made" rather than some specific failure. Your site may well have been cracked.
One of the first things I'd do - given the problems that you're encountering - is compare the size of your "/bin/login" and "/bin/bash" to those on a normal system (this assumes the same distro or at least GNU utility versions on the machines.) If they're significantly larger, they're probably "rootkit" versions, compiled with the library calls in the executable. If you can compare the sizes with the originals (i.e., look inside the RPMs), so much the better.
Check your access logs. The intruder can wipe those, but there's always a chance - most script kiddies are pretty inept.
Do a "find / -name bash" to search for an extra copy (usually SUID'd) of "bash"; in fact, doing an occasional search for SUID'd files on your system - and being familiar with that hopefully very short list - is a good thing to do on any system you admin.

(?)

I have created a new user and tried loggin in; same scenario, new user cannot login with newly assgined user/password, can login as new user using root password.

For "startx" problem I have checked /etc/security/console.perms and edited File classes

 from:
 <console>tty=3D[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
 to:
 <console>tty=3D[0-9][0-9]* vc\/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]

I think the origin is in the password problem but I don't know where to start. Servers are using shadow password, files /etc/passwd and /etc/shadow look like this:

  -rw-r--r--  1 root  root  944 passwd
  -rw-r--r--  1 root  root  944 passwd-

  -r--------  1 root  root  979 shadow
  -r--------  1 root  root  979 shadow-

Do you have any ideas?

Many Thanks -
Nancy Laemlein

(!) [Ben] The perms look OK; that might not have much to do with it though. If you find that you have indeed been cracked, you'll need to reinstall your system (since anything could be compromised), and read the Security-HOWTO before putting it back on-line. Running Bastille (a sort of an automated security audit) on your machine is a fairly good idea.
Do note that the problem could be as simple as some strange library succumbing to bit rot. Doing diagnostics via e-mail with limited information is a middlin' tough job.


This page edited and maintained by the Editors of Linux Gazette Copyright © 2001
Published in issue 68 of Linux Gazette July 2001
HTML script maintained by Heather Stern of Starshine Technical Services, http://www.starshine.org/



[ Table Of Contents ][ Answer Guy Current Index ] greetings   bios   1   2   3   4   5   6   7   8   9   10   11   12 [ Index of Past Answers ]