[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-developers] Re: cobalt-developers digest, Vol 1 #1327 - 17 msgs

Hi Krishnanarayanan,

> http://cobalt-knowledge.sun.com
> Article Reference #   011210-000000
> 
> Mircea Ivan wrote:
> 
> > Password file locked on RaQ4
> > 
> > Anybody got an idea ?

Yepp <waiving hand>. In the last four weeks I've seen that on six 
RaQs3's and RaQ4's. Except two machines they had all patches in 
place, half of the boxes had OpenSSH-3.02 installed. None of the 
machine had recieved any hardening other than that. One of the 
machines had an earlier unfixed compromise (knark rootkit).

The Admin Interface gives this nodescriptive error message when you 
try to add, edit or delete a user, right?

Ok, check the permissions of /etc/shadow. Confirm that the file is 
there and that user "root" can access it. The permissions *should* 
be 400 root:root. See the related discussion on the security-list.
 
Now try to edit the file in "vi" and save your changes. Do not copy 
it and work on the copy, but edit /etc/shadow directly. If you fail 
to be able to save the changes as "root", then be welcome to the 
club of the owned ones.

In my case(s) a loadable kernel module had been inserted into the 
kernel which prevented user "root" from modifying /etc/shadow and 
other files. The module also masked itself pretty well and hid 
certain files and folders in /proc and /usr/local/src/

Analysis of a coredump and /proc/ seem to point into the general 
direction of KIS, although I didn't have the time for a thorough 
investigations as the customers were already impatiently waiving 
with the OS-Restore-CD.

-- 

Mit freundlichen Grüßen / With best regards

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer