The second and most important root escalated privilege flag was taken by ATB
known as Arkaic on Freenode PlugLabs IRC. The escalated permissions were
obtained after running the
default password shadow file on a FC system through John the Ripper to obtain
"nobody" [whose default /etc/passwd shell was changed by a clueless and highly
paid Drupal "developer"
who was trying to get ftp to work to /bin/bash from /bin/nologin ("Um....file
transfer from Drupal is ftp right...?). ATB then
found that there was a backup of the shadow file root hash with readable
permissions (silly admins never set their UMASK right!) and that pam.d
directory also had things writable (su).
After these easy actions, including running the /etc/shadow-bak file through
John the Ripper [type yum install john], to get the root 4 digit numerical
password, I believe ATB was resourceful enough to try "sudo" from nobody which
the admin had, in his haste, set in /etc/sudoers to ALL (ALL) ALL rather than
designate each and every one of the developers, since they were in a
$REALBIGHURRY to get the site up. I believe ATB in his wisdom, then endeavored
to add a few backdoors, and possibly a rootkit, but we have to do our full
forensics for a full determination of all FLAGS obtained by his actions.
Dec 14 17:01:48 spider useradd[21049]: new group: name=waldo, GID=508
Dec 14 17:01:48 spider useradd[21049]: new user: name=waldo, UID=508, GID=508,
home=/home/waldo, shell=/bin/bash
Dec 14 17:01:54 spider passwd: PAM unable to
dlopen(/lib/security/pam_gnome_keyring.so):/lib/security/pam_gnome_keyring.so:
cannot open shared object file: No such file or directory
Dec 14 17:01:54 spider passwd: PAM adding faulty module:
/lib/security/pam_gnome_keyring.so
Dec 14 17:02:01 spider passwd: pam_unix(passwd:chauthtok): password changed for
waldo
Dec 14 17:03:49 spider su: pam_unix(su-l:session): session closed for user root
Dec 14 17:03:52 spider sudo: nobody : TTY=pts/5 ; PWD=/ ; USER=root ;
COMMAND=/bin/su -
Dec 14 17:03:52 spider su: pam_unix(su-l:session): session opened for user root
by nobody(uid=0)
nobody pts/5 ip70-176-228-90. 16:55 1:09 0.20s 0.04s sshd: nobody
[priv]
www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis |
(503)754-4452
Catch the January PLUG HackFest! Kristy Westphal, CSO for the AZ Department
of Economic
Security will provide a one hour
presentation on forensics 1/10/09 Noon at UAT.edu.
_________________________________________________________________
Suspicious message? There’s an alert for that.
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_broad2_122008---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
