On Thu, Mar 5, 2009 at 5:07 AM, Russell Senior <[email protected]> wrote:
> > On one of my desktop boxes this evening I observed something > unsettling. The box had been rebooted because of a freeze (I think > due to an inadvertent ssh session in X, but I wasn't present, so I'm > not certain). Box came back up in memtest86 (inexperienced hands > probably were responsible), and I rebooted when I returned home. > > However, when I rebooted and logged in, I wasn't prompted for a > password: > > login: russell > $ > > What the ...??? > > Even more disturbingly, su took me right to a root prompt. The > /etc/passwd and /etc/shadow appear to be intact. I immediately > assumed the worst and unplugged it from the network, booted a live-cd > and did some trolling through the filesystems. I found evidence in > /var/log/auth.log that two or three ssh-knockers had logged in as > root, but within a minute had logged out again. I disregarded all the > cool forensics stuff I learned at PLUG a month ago. > > I ran chkrootkit which came back clean, but ... clearly something is > haywire. I strace'd a getty and all it exec'd is login and then a > shell. The md5sum of /bin/login matches what shows in the > /var/lib/dpkg/info/login.md5sums file. > > What explains the weird passwordless logins? > > Clues? Ideas? > > > I had this exact same thing occur to me yesterday. I first noticed it when su took me directly to root. Having seen this thread, I went though the backups for the last few days and noticed that several files in /etc/pam.d had been updated during a normal debian upgrade. The files were etc/pam.d/common-account etc/pam.d/common-auth etc/pam.d/common-password etc/pam.d/common-session I restored these files from the backup and the problem disappeared. As far as I can tell this was not caused by any malice, but was caused by a packaging problem. Bill _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
