[ale] passwd for root not working

Michael H. Warfield mhw at WittsEnd.com
Tue Jan 5 23:05:07 EST 2010 

On Tue, 2010-01-05 at 17:45 -0500, Atlanta Geek wrote: 
> A machine that I was not in charge of seems to have been broken into
> over the weekend.
> I am trying to help the sysadmin.  However there seems to be some
> weird things going on when I try to lock the system down.

Horse, barn door, too late, wrong order, game over.  It appears that
this box is seriously owned.

> 1. found that /var/log/secure was a directory and not a file.
> 2. when as root I type passwd I found that passwd command was missing.
> 3. copied passwd from another server.  When trying to set password we
> get the following:

> [root at localhost etc]# passwd
> Changing password for user root.
> New UNIX password:
> Retype new UNIX password:
> passwd: Authentication token manipulation error


> Here are some details about shadow and passwd files

> [root at localhost etc]# lsattr /etc/passwd
> ----i-------- /etc/passwd

Lovely.  The file is set to immutable.

> [root at localhost etc]# ls -altr passwd
> -rw-r--r-- 1 root root 1616 Feb 28  2009 passwd
> [root at localhost etc]# ls -altr shadow
> -r-------- 1 root root 954 Oct  1 08:42 shadow
> [root at localhost etc]# lsattr passwd
> ----i-------- passwd
> [root at localhost etc]# lsattr shadow
> ----i-------- shadow

Toast.  Cue the music. 

Well, having those files immutable would certainly account for the
"Authentication token manipulation error".  That's a given and you are
busted.

> Any assistance would be appreciated.

If you don't want to rebuild the machine from scratch right from the get
go...

Go get your favorite forensic live CD (my favorite is NST - Network
Security Toolkit, <www.networksecuritytoolkit.org>) and boot the machine
from that and begin to clean it out.

Fix the permissions on those files to get RID of the damn immutable bits
(run from the live CD - not from the compromised image which may be
trojaned as well):

chattr -i /etc/shadow /etc/password

Run rkhunter and chkrootkit and see what pops.

Back up your user data from the drive and rebuild the OS.

The main and primary reason for even BOTHERING to go through the trouble
of diagnosing a compromised system at this point is to determine HOW
they broke in.  If you don't do that, you probably won't know how to
prevent it in the NEAR future (yeah, they come back shortly after you
return to the air).  Even if you know how they broke in, you can't trust
the system at this point, so you may as well rebuild it.  But way WAY
too many systems get rebuilt only to be immediately recompromised
because the admins didn't know how they broken in and didn't plug the
hot and they were waiting for them the moment they were back up on the
net.  Fix it, then watch it like a hawk.  They're like the terminator.
They will be back.

Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20100105/b1f2ba98/attachment.bin

More information about the Ale mailing list