On one of my desktop boxes this evening I observed something unsettling. The box had been rebooted because of a freeze (I think due to an inadvertent ssh session in X, but I wasn't present, so I'm not certain). Box came back up in memtest86 (inexperienced hands probably were responsible), and I rebooted when I returned home.
However, when I rebooted and logged in, I wasn't prompted for a password: login: russell $ What the ...??? Even more disturbingly, su took me right to a root prompt. The /etc/passwd and /etc/shadow appear to be intact. I immediately assumed the worst and unplugged it from the network, booted a live-cd and did some trolling through the filesystems. I found evidence in /var/log/auth.log that two or three ssh-knockers had logged in as root, but within a minute had logged out again. I disregarded all the cool forensics stuff I learned at PLUG a month ago. I ran chkrootkit which came back clean, but ... clearly something is haywire. I strace'd a getty and all it exec'd is login and then a shell. The md5sum of /bin/login matches what shows in the /var/lib/dpkg/info/login.md5sums file. What explains the weird passwordless logins? Clues? Ideas? -- Russell Senior ``I have nine fingers; you have ten.'' [email protected] _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
