Re: pam, ssh, user account vulnerability

From: Peter T. Breuer (ptb_at_oboe.it.uc3m.es)
Date: 09/28/05 

Date: Wed, 28 Sep 2005 07:14:35 +0200

Rick Moen <rick@linuxmafia.com> wrote:
> Lenny G. <alengarbage@yahoo.com> wrote:

> [Intruders entered via a guessed username/password pair.]

>> Luckily, the attacker wasn't able to compromise anything else on the
>> system -- they weren't able to get a local root elevation and the
>> system is otherwise (verifiably) intact (thank you rpm -Va!).

> You sure about that?

Yes - it does sound a little as though he has an adore module
installed. He DOES want to boot from a live cd, get chkrootkit,
and run it on the disk, mounted under /mnt.

He wants to avoid his normal init sequence, as the files will have been
doctored to install the module at each boot. A simple ls -lr on the
init scripts can show the trail, but it's generally sysklogd's script
which has had the extra lines added.

> 2b. My recollection is that the check also excludes many (all?) package
> configuration files; otherwise, there would be lots of false positives
> caused by normal sysadmin-created local machine configuration data.

Makes sense. But if it's an adore module the checksums will be correct
anyway. Neither he nor the chechksummer will see the REAL files.

> You have to make a judgement call as to whether you think your system
> has been root-compromised. Tough one. It might help to install your
> distro onto a second machine and compare all the PAM-related files you
> can find, between the hosts.

Only after avoiding his own init sequence!

Peter

Relevant Pages

  • Re: XP HOME BOOT FAILURE
    ... Boot the system, start tapping F8, when the menu appears, select ... download install and run the application: ... A repair install should bypass that but it will ... >> on, follow the screens. ...
    (microsoft.public.windowsxp.accessibility)
  • Re: Dual Boot; worried about overwriting C: Boot Drive with Win2k
    ... > replacement, I decided to install that as a slave drive, but I have not ... I also want to dual boot, ... DO NOT install the Linux boot loader on ...
    (alt.os.linux.redhat)
  • Re: boot sector f*ed
    ... "I updated the machine and it doesn't boot anymore". ... Please capture the output from running fdisk and bsdlabel on the problem disk ... Soft updates is a technique employed by the filesystem to ensure that the file ... application to install the 64bit FBSD with flashplugin on the portable ...
    (freebsd-questions)
  • Re: Start Menu, Icons Not Appearing
    ... Also, make sure your system has no malware, download, install and run Ad ... Assuming your system is set to boot from the CD-ROM drive, ... To Setup Windows XP now, ... To Repair a Windows XP Installation using Recovery Console press R. ...
    (microsoft.public.windowsxp.accessibility)
  • Re: PLEASE HELP: 2 ERROR MESSAGES
    ... The advice to do a repair install, turned out to be a grievous and expensive ... The repair install caused a corruption and windows became ... It seems as though it would not boot from the CD ...
    (microsoft.public.windowsxp.general)