Strange passwd and shadow file; hacked?
This is a discussion on Strange passwd and shadow file; hacked? within the Linux Security forums, part of the System Security and Security Related category; Hello, on one of my servers, I found the following in /etc/passwd: wwwadmin:x:506:502::/var/wwwroot:/bin/...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-03-2004
|
|||
|
|||
Strange passwd and shadow file; hacked?
Hello,
on one of my servers, I found the following in /etc/passwd: wwwadmin:x:506:502::/var/wwwroot:/bin/bash wwwadminsec:$1$Zzzzbhb9$.JashszZS23keu3/:507:503::/var/wwwrootsec:/bin/bash mysqladm:x:505:501::/var/mysql:/bin/bash and this in /etc/shadow: wwwadmin:$1$Zzzzbhb9$.KIJD832iuhs892/:12078:0:99999:7::: adminsec:$1$Zzzzbhb9$.dijo29823/:12078:0:99999:7::: mysqladm:$1$Zzzzbhb9$.UHJd78923zuw/:12077:0:99999:7::: (I filled the encrypted parts with random stuff) There is an encrypted password in /etc/passwd where the 'x' should be, the according account was truncated in /etc/shadow (adminsec instead of wwwadminsec), and the encrypted password in the /etc/passwd is something new, while the encrypted password in /etc/shadow is still correct. I tried this "hack", and yes, you can login as user wwwadminsec with the password that accords to the encrypted password in /etc/passwd - Linux ignores /etc/shadow in this case. Does that look like a cracker to you? If yes, why did he do it that way? he could have simply changed the password of the user wwwadminsec. Thanks in advance, -- Manuel 
|
|
06-04-2004
|
|||
|
|||
|
Re: Strange passwd and shadow file; hacked?
On Thu, 03 Jun 2004 16:41:12 +0200, Manuel Kiessling <manuel@kiessling.net> wrote:
> Hello, > > on one of my servers, I found the following in /etc/passwd: > > wwwadmin:x:506:502::/var/wwwroot:/bin/bash > wwwadminsec:$1$Zzzzbhb9$.JashszZS23keu3/:507:503::/var/wwwrootsec:/bin/bash > mysqladm:x:505:501::/var/mysql:/bin/bash > > and this in /etc/shadow: > > wwwadmin:$1$Zzzzbhb9$.KIJD832iuhs892/:12078:0:99999:7::: > adminsec:$1$Zzzzbhb9$.dijo29823/:12078:0:99999:7::: > mysqladm:$1$Zzzzbhb9$.UHJd78923zuw/:12077:0:99999:7::: > > (I filled the encrypted parts with random stuff) > > There is an encrypted password in /etc/passwd where the 'x' should be, > the according account was truncated in /etc/shadow (adminsec instead of > wwwadminsec), and the encrypted password in the /etc/passwd is something > new, while the encrypted password in /etc/shadow is still correct. > > I tried this "hack", and yes, you can login as user wwwadminsec with the > password that accords to the encrypted password in /etc/passwd - Linux > ignores /etc/shadow in this case. > > Does that look like a cracker to you? If yes, why did he do it that way? > he could have simply changed the password of the user wwwadminsec. A good test would be to see who added these. If neither you nor any of the other admins can remember adding those accounts, then I'd say there's a good chance you were cracked. If that's the case, you should get that machine offline ASAP and do a clean install. -- -- Skylar Thompson (skylar@cs.earlham.edu) -- http://www.cs.earlham.edu/~skylar/
|
|
06-09-2004
|
|||
|
|||
|
Re: Strange passwd and shadow file; hacked?
Manuel Kiessling wrote: > Hello, > > on one of my servers, I found the following in /etc/passwd: > > wwwadmin:x:506:502::/var/wwwroot:/bin/bash > wwwadminsec:$1$Zzzzbhb9$.JashszZS23keu3/:507:503::/var/wwwrootsec:/bin/bash > mysqladm:x:505:501::/var/mysql:/bin/bash > > and this in /etc/shadow: > > wwwadmin:$1$Zzzzbhb9$.KIJD832iuhs892/:12078:0:99999:7::: > adminsec:$1$Zzzzbhb9$.dijo29823/:12078:0:99999:7::: > mysqladm:$1$Zzzzbhb9$.UHJd78923zuw/:12077:0:99999:7::: > > (I filled the encrypted parts with random stuff) > > There is an encrypted password in /etc/passwd where the 'x' should be, > the according account was truncated in /etc/shadow (adminsec instead of > wwwadminsec), and the encrypted password in the /etc/passwd is something > new, while the encrypted password in /etc/shadow is still correct. > > I tried this "hack", and yes, you can login as user wwwadminsec with the > password that accords to the encrypted password in /etc/passwd - Linux > ignores /etc/shadow in this case. > > Does that look like a cracker to you? If yes, why did he do it that way? > he could have simply changed the password of the user wwwadminsec. > > Thanks in advance, > Or put no password in at all. And yes, I would be suspicious followed by a full analysis of the system. Basically do the normal forensic analysis. (tripwire, lsof, nmap, tcpdump, etc...) Since you said "one of your servers," you can transfer these binaries from another Linux system instead of local ones(which might be trojaned ).
|
|
06-11-2004
|
|||
|
|||
|
Re: Strange passwd and shadow file; hacked?
Manuel Kiessling <manuel@kiessling.net> wrote in
news:2i8rk6FkifceU1@uni-berlin.de: > Does that look like a cracker to you? If yes, why did he do it that > way? he could have simply changed the password of the user > wwwadminsec. Absolutely. (and thank you for using cracker instead of hacker) Automated kits dont do well with interactive programs. Its easier for them to add a line or an entry to the passwd file than it is to add to the shadow file, or run a passwd command, even if they do temporarily have access to a non-GUi non-console root. There should NEVER be an entry in the passwd file. Its good to know that and check it since there is always a chance that someone will have the newest exploit for getting past the IDS you might be using. One of the things my login does is grep -v :x: /etc/passwd Gandalf Parker -- Saying your system is secure should be considered the same as saying your food is too hot. Its a temporary condition which is going away even as you speak.
|
Linear Mode
