Re: pam, ssh, user account vulnerability

From: Rick Moen (rick_at_linuxmafia.com)
Date: 09/28/05 

Date: Tue, 27 Sep 2005 20:46:52 -0400

Lenny G. <alengarbage@yahoo.com> wrote:

[Intruders entered via a guessed username/password pair.]

> Luckily, the attacker wasn't able to compromise anything else on the
> system -- they weren't able to get a local root elevation and the
> system is otherwise (verifiably) intact (thank you rpm -Va!).

You sure about that?

1. "rpm -Va" only verifies that a bunch of package-owned files'
md5sums match those on record in the BerkeleyDB files in /var/lib/rpm.
A smart intruder will update the database records to match his meddling.

So: Did you bother to compare /var/lib/rpm/* against a copy stored
on write-protected or offline media? Otherwise, your assurance is a
little fragile -- and being wrong with confidence (about system
security) is often much worse than merely not knowing.

A guy I shave every morning once referred to this query (how do you know
within reasonable certainty that one has _not_ been compromised) as an
"Excellent question." See: http://linuxgazette.net/issue98/moen.html

2a. My recollection is that that check compares the hashes of files
installed from the RPMs, but there's no provision for checking
security-sensitive files that weren't provided by the packaging system.

2b. My recollection is that the check also excludes many (all?) package
configuration files; otherwise, there would be lots of false positives
caused by normal sysadmin-created local machine configuration data.

You have to make a judgement call as to whether you think your system
has been root-compromised. Tough one. It might help to install your
distro onto a second machine and compare all the PAM-related files you
can find, between the hosts.

Personally, if I had any doubt, I'd secure all data files, the names of
installed packages, and a tarball of /etc, rebuild from trusted media,
apply security updates before connecting to public networks, restore
data files, manually rebuild local machine state by reference to (but
not copying files from) the reference tarball of /etc, and finally allow
the users back in with changed passwords and a heart-to-heart chat.

And I'd also install & configure a file-based IDS, rather than just
relying on "rpm -Va" in the future. 

-- 
Cheers,     Founding member of the Hyphenation Society, a grassroots-based, 
Rick Moen   not-for-profit, locally-owned-and-operated, cooperatively-managed,
rick@linuxmafia.com     modern-American-English-usage-improvement association.

Relevant Pages

  • Re: XP and drivers- what should stay on the C drive?
    ... recovery disks appear to install some of the drivers and XP Home ... I keep my data files (documents, drawings, photos, spreadsheets, programs I ... The remainder of my HD has a large logical drive that I store my Drive Image ... partition would also be backed up so you don't lose them as well. ...
    (microsoft.public.windowsxp.newusers)
  • Re: School computer virus update
    ... There is another solution for recovering your data files if you don't have ... install Windows XP in that partition (being careful to write down the ...
    (microsoft.public.security.virus)
  • Re: bypass migration in startup outlook 2003
    ... did a fresh install and I was able to reconnect to my personal folders. ... Sue Mosher, Outlook MVP ... profile name exists but does not show any access to any data files. ...
    (microsoft.public.outlook.installation)
  • Re: Thank you all...
    ... system in either Normal Mode or Safe Mode. ... Install" of Windows XP, which retains your data files and software. ...
    (microsoft.public.windowsxp.general)
  • Re: reload winxp
    ... If you do a new install over your previous xp os you will have to reinstall ... all your programs and you will lose your data files. ... all your data files then do a "repair" install. ... >>MS-MVP Windows - Shell/User ...
    (microsoft.public.windowsxp.general)