bios 1 2 3 4 5 6 7 8 9 10 11 12 |
There is no guarantee that your questions here will ever be answered. Readers at confidential sites must provide permission to publish. However, you can be published anonymously - just let us know!
From Nancy Laemlein
Answered By Ben Okopnik
Hello,
I found my problem listed as http://www.linuxgazette.com/issue37/tag/46.html, but no solution.
I have been running RH6.2 kernel2.2.14-50 on I586, as two test servers.
Both have been running for one-two months. One morning I restarted both servers and then I encountered no normal user could successfully login. I could only login as root, or even more bizarre, as any user but using the root password.
[Ben] Hm. I hate to jump to such an obvious conclusion, but that kind of behavior seems "man-made" rather than some specific failure. Your site may well have been cracked.
One of the first things I'd do - given the problems that you're encountering - is compare the size of your "/bin/login" and "/bin/bash" to those on a normal system (this assumes the same distro or at least GNU utility versions on the machines.) If they're significantly larger, they're probably "rootkit" versions, compiled with the library calls in the executable. If you can compare the sizes with the originals (i.e., look inside the RPMs), so much the better.
Check your access logs. The intruder can wipe those, but there's always a chance - most script kiddies are pretty inept.
Do a "find / -name bash" to search for an extra copy (usually SUID'd) of "bash"; in fact, doing an occasional search for SUID'd files on your system - and being familiar with that hopefully very short list - is a good thing to do on any system you admin.
"Authentication failed - cannot start X server.
Perhaps you do not have console ownership?"
"Sending all processes the TERM signal ...
rpc.statd forgot to set AF_INET in udp sendmsg.
Fix it!"
I have created a new user and tried loggin in; same scenario, new user cannot login with newly assgined user/password, can login as new user using root password.
For "startx" problem I have checked /etc/security/console.perms and edited File classes
from: <console>tty=3D[0-9][0-9]* :[0-9]\.[0-9] :[0-9] to: <console>tty=3D[0-9][0-9]* vc\/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
I think the origin is in the password problem but I don't know where to start. Servers are using shadow password, files /etc/passwd and /etc/shadow look like this:
-rw-r--r-- 1 root root 944 passwd -rw-r--r-- 1 root root 944 passwd- -r-------- 1 root root 979 shadow -r-------- 1 root root 979 shadow-
Do you have any ideas?
Many Thanks -
Nancy Laemlein
[Ben] The perms look OK; that might not have much to do with it though. If you find that you have indeed been cracked, you'll need to reinstall your system (since anything could be compromised), and read the Security-HOWTO before putting it back on-line. Running Bastille (a sort of an automated security audit) on your machine is a fairly good idea.
Do note that the problem could be as simple as some strange library succumbing to bit rot. Doing diagnostics via e-mail with limited information is a middlin' tough job.
bios 1 2 3 4 5 6 7 8 9 10 11 12 |