> On one of my desktop boxes this evening I observed something > unsettling. The box had been rebooted because of a freeze (I think > due to an inadvertent ssh session in X, but I wasn't present, so I'm > not certain). Box came back up in memtest86 (inexperienced hands > probably were responsible), and I rebooted when I returned home. > > However, when I rebooted and logged in, I wasn't prompted for a > password: > > login: russell > $ > > What the ...??? > > Even more disturbingly, su took me right to a root prompt. The > /etc/passwd and /etc/shadow appear to be intact. I immediately > assumed the worst and unplugged it from the network, booted a live-cd > and did some trolling through the filesystems. I found evidence in > /var/log/auth.log that two or three ssh-knockers had logged in as > root, but within a minute had logged out again. I disregarded all the > cool forensics stuff I learned at PLUG a month ago. > > I ran chkrootkit which came back clean, but ... clearly something is > haywire. I strace'd a getty and all it exec'd is login and then a > shell. The md5sum of /bin/login matches what shows in the > /var/lib/dpkg/info/login.md5sums file. > > What explains the weird passwordless logins?
it could be pam configurations that allow anyone to login. or it could be a trojaned c library that makes crypt return the salt, which is usually just passed the encrypted password. did you see strace read the shadow file? running ltrace might also give clues. is there a way to globally check checksums for all installed packages? i'm not a deb user, so i am not sure. _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
