[vox-tech] Password Security...

Peter Jay Salzman vox-tech@lists.lugod.org
Sat, 1 May 2004 10:17:08 -0700 

On Sat 01 May 04,  9:34 AM, William Perdue <william@williamperdue.com> said:
> Hello, I'm William...
> 
> I've been having some trouble with my security in my server.... I am 
> running Red Hat Linux 9 with the Linux SSH Client software.
> 
> Looking through my logs, I found that a hacker got hold of my Root 
> password... it was _not_ the default (it was 17 characters) .... the server 
> sits behind my router with a local IP address
> 
> My Firewall is set at a high level  and The Server config is far from the 
> defaults...
> 
> My Question: could they have obtained my root password?..

hi william,

welcome to lugod.

there is so many different ways to get a password, the answer would
have to be an unqualified "yes" to a question of possibility.

it would be imposssible to list them all except in the most general of
general terms.  all any of us can do is ask the questions which are the
most obvious, like "do you run telnetd" and "have you installed any
non-rpm software from a warez site in russia".  the possibilities are
really endless here, which what makes computer security (and the inverse
of computer secuirty) so much fun.

first off, can you post the logs that make you think the root password
was compromised?


> Another thing,,, Is there an easy way I can figure out if they installed 
> any software on my server, like a trapdoor that would allow access now that 
> I have changed the password?
 
yes, there is.  if you have tripwire or its open source equivalent,
integrit, installed.

if you don't have a tripwire type package installed, before the fact,
then things get considerably more complicated.

assuming that you don't have integrit or tripwire installed, i've read
that rpm can check the checksum of all installed files.  that would
certify binaries installed by rpm and a few config files.

however, even that won't guarantee anything.  once a hacker gets his
foot in the door, all bets are off.  for example, one technique that i
used to employ on ultrix was a pretty frightening flaw in ultrix.  a
long time ago, if the first line of /etc/passwd was a blank line, you
could log in as root with no password (it wouldn't let you in if you
supplied a WRONG password.  however, it would let you in with no
password).


essentially, there are certain system config files that are not "owned"
by an rpm, and perhaps they get changed so much that their checksum
really wouldn't be meaninful in the first place.  like playing around
with shadow or exports or heaven knows what.  passwd and shadow are two
such files not owned by a (debian) package.

if this were MY system, i'd install from backup (uhhh... if it existed
;) ) or reinstall from scratch.

btw, there are packages that look for the most common root kits.  i
forget what they're called; i'm sure someone here knows.  there's a
couple of them available as deb packages.  i'm sure you can freshmeat
for them.  but even so, as long as you were careful to leave everything
not in /usr/local and /home alone, then backing up /etc and reinstalling
shouldn't be too painful.  this is one of the areas where debian's anal
notion of "policy" is so useful.

but these packages should be used to LOOK for hackers, not for damage
control once hackers get in:

the truth is, if you even suspect that they got root access in ANY way
shape or form (and getting the root password is one out of a billion
ways to gain root access), then you should really install from scratch.

sorry to hear the bad news.  it's good that you have a watchful eye.

pete


-- 
Make everything as simple as possible, but no simpler.  -- Albert Einstein
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D