bios   1   2   3   4   5   6   7   8   9   10   11   12

Cannot Login Question

From Nancy Laemlein

Answered By Ben Okopnik

Hello,

I found my problem listed as http://www.linuxgazette.com/issue37/tag/46.html, but no solution.

I have been running RH6.2 kernel2.2.14-50 on I586, as two test servers.

Both have been running for one-two months. One morning I restarted both servers and then I encountered no normal user could successfully login. I could only login as root, or even more bizarre, as any user but using the root password.

[Ben] Hm. I hate to jump to such an obvious conclusion, but that kind of behavior seems "man-made" rather than some specific failure. Your site may well have been cracked.

One of the first things I'd do - given the problems that you're encountering - is compare the size of your "/bin/login" and "/bin/bash" to those on a normal system (this assumes the same distro or at least GNU utility versions on the machines.) If they're significantly larger, they're probably "rootkit" versions, compiled with the library calls in the executable. If you can compare the sizes with the originals (i.e., look inside the RPMs), so much the better.

Check your access logs. The intruder can wipe those, but there's always a chance - most script kiddies are pretty inept.

Do a "find / -name bash" to search for an extra copy (usually SUID'd) of "bash"; in fact, doing an occasional search for SUID'd files on your system - and being familiar with that hopefully very short list - is a good thing to do on any system you admin.

• The servers do not boot to Xwindows(gdm)
• No error at bootup
• manage a login for user/root password
• "startx" produces - "Authentication failed - cannot start X server.
Perhaps you do not have console ownership?"
  No user can load startx Only root can load startx - not good
• upon shutdown error message results: "Sending all processes the TERM signal ...
rpc.statd forgot to set AF_INET in udp sendmsg.
Fix it!"

I have created a new user and tried loggin in; same scenario, new user cannot login with newly assgined user/password, can login as new user using root password.

For "startx" problem I have checked /etc/security/console.perms and edited File classes

 from:
 <console>tty=3D[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
 to:
 <console>tty=3D[0-9][0-9]* vc\/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]

I think the origin is in the password problem but I don't know where to start. Servers are using shadow password, files /etc/passwd and /etc/shadow look like this:

  -rw-r--r--  1 root  root  944 passwd
  -rw-r--r--  1 root  root  944 passwd-

  -r--------  1 root  root  979 shadow
  -r--------  1 root  root  979 shadow-

Do you have any ideas?

Many Thanks -
Nancy Laemlein

[Ben] The perms look OK; that might not have much to do with it though. If you find that you have indeed been cracked, you'll need to reinstall your system (since anything could be compromised), and read the Security-HOWTO before putting it back on-line. Running Bastille (a sort of an automated security audit) on your machine is a fairly good idea.

Do note that the problem could be as simple as some strange library succumbing to bit rot. Doing diagnostics via e-mail with limited information is a middlin' tough job.

This page edited and maintained by the Editors of Linux Gazette Copyright © 2001
Published in issue 68 of Linux Gazette July 2001

HTML script maintained by Heather Stern of Starshine Technical Services, http://www.starshine.org/

bios   1   2   3   4   5   6   7   8   9   10   11   12