Language Selection

English French German Italian Portuguese Spanish

A strangely compromised Linux box

Filed under
Linux
Security

A customer reported that a Linux machine used for ssh access (to in turn give telnet access to an ancient SCO machine) was refusing logins. I asked him to try logging in as root at the console; he was unable to do so.

When I arrived on site, I found that I could not login as he had said. I rebooted to single use mode and started peeking around. The machine had been hacked; there was little doubt about that. It's HOW it was hacked that bothers me,

First, there was no attempt to hide any evidence. I could see in wtmp and the secure logs that someone had logged in from a German ISP address, attained su status, and created a new su user for himself. He then changed root's password.

Fine so far, right? But then he did something very strange. He hand edited /etc/passwd and added "/nologin" at the end of each line except root and his own. This was what was preventing people from logging in.

Why do that?




More in Tux Machines

Graphics: AMDGPU, Radeon, Intel DRM

  • AMDGPU DC Code Lands For Linux 4.15 Kernel
    Linus Torvalds has accepted the AMDGPU DC display code pull request for the Linux 4.15 kernel. AMD Linux users can now rejoice! Overnight David Airlie sent in the AMDGPU DC pull request for Linux 4.15 and since then Linus Torvalds was active on the kernel mailing list ranting about AMD header files and other unrelated to DC code. He was also pulling in other PRs... It was getting a bit worrisome, given the DC code not being in pristine shape, but it was exciting as heck to see this evening that he did go ahead and pull in the 132 thousand lines of new kernel code to land this AMDGPU DC. Linus hasn't provided any commentary about DC on the kernel mailing list as of writing.
  • Radeon VCN Encode Support Lands In Mesa 17.4 Git
    It's an exciting day for open-source Radeon Linux users today as besides the AMDGPU DC pull request (albeit still unmerged as of writing), Radeon VCN encoding support has landed in Mesa Git.
  • The - Hopefully - Final Stab At Intel Fastboot Support
    Intel's Maarten Lankhorst has sent out what could be the final patches for enabling "fastboot" support by default within their DRM graphics driver.

Raspberry Digital Signage 10

It shows web pages from Internet, LAN or internal sources (a WordPress installation comes already installed by default on the SD card); there is no way to escape this view but rebooting the machine. Marco Buratto has released Raspberry Digital Signage 10.0 today, which comes with the latest and greatest Chromium build (featuring advanced HTML5 capabilities, Adobe Flash support and H264/AVC video acceleration), so you can display more attractive resources, more easily. Read more

Red Hat Leftovers

Latest Openwashing