Language Selection

English French German Italian Portuguese Spanish

A strangely compromised Linux box

Filed under
Linux
Security

A customer reported that a Linux machine used for ssh access (to in turn give telnet access to an ancient SCO machine) was refusing logins. I asked him to try logging in as root at the console; he was unable to do so.

When I arrived on site, I found that I could not login as he had said. I rebooted to single use mode and started peeking around. The machine had been hacked; there was little doubt about that. It's HOW it was hacked that bothers me,

First, there was no attempt to hide any evidence. I could see in wtmp and the secure logs that someone had logged in from a German ISP address, attained su status, and created a new su user for himself. He then changed root's password.

Fine so far, right? But then he did something very strange. He hand edited /etc/passwd and added "/nologin" at the end of each line except root and his own. This was what was preventing people from logging in.

Why do that?




More in Tux Machines

Clonezilla Live 2.5.0-25 Stable Release Is Powered by Linux 4.9.6 and Debian Sid

Clonezilla Live and GParted Live creator Steven Shiau announced the availability of a new stable release of Clonezilla Live, versioned 2.5.0-25, bringing the latest GNU/Linux technologies and up-to-date software components. Based on the Debian Sid repository as of February 20, 2017, Clonezilla Live 2.5.0-25 is now powered by the Linux 4.9.6 kernel and ships with a bunch of new packages, including Nmap, bicon, sshpass, keychain, and monitoring-plugins-basic. Read more

War Thunder on GNU/Linux and More on SteamVR