Mailing List Archive: Gentoo: Security

Weird problems, unable to login as root.

Index | Next | Previous | View Threaded

petekarl at student

Feb 11, 2005, 8:56 AM

Post #1 of 11 (1214 views)
Permalink

Weird problems, unable to login as root.

Hi!

I'm experiencing some weird problems with my gentoo install. I can't log
in as root; it seems like the password has been changed/screwed up. Has
anyone else had similar experiences? I may have had a break-in but I don't
run any public services, and the local services I use
(X (+xdm),vixie-cron (+anacron),syslog-ng,ntpdate,dhcpcd) don't listen for
ip (tcp/udp). Furthermore I don't run a local firewall on my machine since
I haven't learned iptables rules yet (it's on my todo-list), but my
adsl-modem has a built-in firewall which, according to the shieldsup site,
does a pretty good job at hiding my 'puter. This leads me to think that an
'emerge' has gone wrong. According to my emerge.log I installed libcaps on
4th feb. but /sbin/{getpcaps,setpcaps,sucap,execcap} are installed on 10th
feb. Strange indeed! This is the second time I've had strange problems
with gentoo; the first time my /root/.bash_history was of size 0 (zero)
which led to a re-format and re-install. What to do?

How is the emerge/portage system audited/secured? Can someone put up a
ebuild with trojans in them?

FYI: I'm typing this from a knoppix cdrom boot...

Best regards

Peter K

--
gentoo-security [at] gentoo mailing list

john at viperlin

Feb 11, 2005, 9:17 AM

Post #2 of 11 (1173 views)
Permalink

Re: Weird problems, unable to login as root. [In reply to]

it would be amazingly unlikely that someone has compromised your box
without them sending you a trojan and even then, trojans are rather
ineffective unless you run them as root..
if your in knoppix mount your / partition with /etc on, and use a text
editor to change /etc/shadow the top line will look something like this:

root:$1$O6TTb8zH$zpsf/sfslfka0dj9Av:12300:0:::::
delete the hash to leave
root::12300:0:::::

click save, do the same in /etc/shadow- (a backup password file) and
reboot, your root password will be blank.

should get you going again :)

On Fri, 2005-02-11 at 16:56 +0100, Peter Karlsson wrote:
> Hi!
>
> I'm experiencing some weird problems with my gentoo install. I can't log
> in as root; it seems like the password has been changed/screwed up. Has
> anyone else had similar experiences? I may have had a break-in but I don't
> run any public services, and the local services I use
> (X (+xdm),vixie-cron (+anacron),syslog-ng,ntpdate,dhcpcd) don't listen for
> ip (tcp/udp). Furthermore I don't run a local firewall on my machine since
> I haven't learned iptables rules yet (it's on my todo-list), but my
> adsl-modem has a built-in firewall which, according to the shieldsup site,
> does a pretty good job at hiding my 'puter. This leads me to think that an
> 'emerge' has gone wrong. According to my emerge.log I installed libcaps on
> 4th feb. but /sbin/{getpcaps,setpcaps,sucap,execcap} are installed on 10th
> feb. Strange indeed! This is the second time I've had strange problems
> with gentoo; the first time my /root/.bash_history was of size 0 (zero)
> which led to a re-format and re-install. What to do?
>
> How is the emerge/portage system audited/secured? Can someone put up a
> ebuild with trojans in them?
>
> FYI: I'm typing this from a knoppix cdrom boot...
>
> Best regards
>
> Peter K
>
> --
> gentoo-security [at] gentoo mailing list
>

--
gentoo-security [at] gentoo mailing list

petekarl at student

Feb 11, 2005, 9:36 AM

Post #3 of 11 (1175 views)
Permalink

Re: Weird problems, unable to login as root. [In reply to]

On Fri, 11 Feb 2005, John Servo wrote:

> it would be amazingly unlikely that someone has compromised your box
> without them sending you a trojan and even then, trojans are rather
> ineffective unless you run them as root..
> if your in knoppix mount your / partition with /etc on, and use a text
> editor to change /etc/shadow the top line will look something like this:
>
> root:$1$O6TTb8zH$zpsf/sfslfka0dj9Av:12300:0:::::
> delete the hash to leave
> root::12300:0:::::
>
> click save, do the same in /etc/shadow- (a backup password file) and
> reboot, your root password will be blank.
>
> should get you going again :)

But why would this happen? And, thanks for the info but I changed the
password via chroot'ing from knoppix...

Thanks for the input!

Best regards

Peter K

--
gentoo-security [at] gentoo mailing list

Barry.Schwartz at chemoelectric

Feb 11, 2005, 9:54 AM

Post #4 of 11 (1170 views)
Permalink

Re: Weird problems, unable to login as root. [In reply to]

Peter Karlsson <petekarl [at] student> wrote:
> But why would this happen?

Maybe it's a library-related problem. Have you tried a
revdep-rebuild? Maybe you have old software linking to new libraries
that it doesn't understand. Also maybe you should check that you
built glibc with the Linux headers you have installed currently.

--
Barry.Schwartz [at] chemoelectric http://www.chemoelectric.org
"I have directed that in the future I sign each letter." -- Rumsfeld

nick77 at dtnspeed

Feb 11, 2005, 10:11 AM

Post #5 of 11 (1170 views)
Permalink

Re: Weird problems, unable to login as root. [In reply to]

Had this happen when "emerge --update world" updated the pam libs, but
did not update shadow and login. A re-emerge of these packages fixed
things up just fine.

On Fri, 2005-02-11 at 10:54 -0600, Barry.Schwartz [at] chemoelectric
wrote:
> Peter Karlsson <petekarl [at] student> wrote:
> > But why would this happen?
>
> Maybe it's a library-related problem. Have you tried a
> revdep-rebuild? Maybe you have old software linking to new libraries
> that it doesn't understand. Also maybe you should check that you
> built glibc with the Linux headers you have installed currently.

--
Paul Nicholas McCubbins <nick77 [at] dtnspeed>

--
gentoo-security [at] gentoo mailing list

rpfc at mega

Feb 11, 2005, 10:12 AM

Post #6 of 11 (1176 views)
Permalink

Re: Weird problems, unable to login as root. [In reply to]

> This is the second time I've had strange problems
> with gentoo; the first time my /root/.bash_history was of size 0 (zero)
> which led to a re-format and re-install. What to do?

I don't get it. Why re-formet and reinstall gentoo when .bash_history
was of size 0?! You can delete that file anytime and your system will
still work. You can also redirect it do /dev/null ending up with no bash
history at all and your system will still work!

--
Rui Covelo
http://ruicovelo.2ya.com

--
gentoo-security [at] gentoo mailing list

petekarl at student

Feb 11, 2005, 10:20 AM

Post #7 of 11 (1168 views)
Permalink

Re: Weird problems, unable to login as root. [In reply to]

On Fri, 11 Feb 2005 Barry.Schwartz [at] chemoelectric wrote:

> Maybe it's a library-related problem. Have you tried a
> revdep-rebuild? Maybe you have old software linking to new libraries
> that it doesn't understand. Also maybe you should check that you
> built glibc with the Linux headers you have installed currently.

I'll try the revdep-rebuild, thanks! The only binary apps/modules I have
on my system is fglrx, well except I downloaded the ut2004 demo but that
is installed in my user $HOME (with user ownership of course). But my
gentoo install is from the 4th feb... And I made sure that glibc are built
with the 2.6.8.1 headers since I use nptl (I use the developer stage 1
with nptl method in the gentoo wiki, with some tweaks - I use only ext2
and ext3 instead of reiserfs and I don't install everything that he does,
I also use a more conservative USE flag - and since the gentoo livecd
doesn't work for me, because of adaptec scsi, I use knoppix to build the
system). After building the kernel (and reboot) I also rebuilt glibc.

Best regards

Peter K

--
gentoo-security [at] gentoo mailing list

petekarl at student

Feb 11, 2005, 10:24 AM

Post #8 of 11 (1169 views)
Permalink

Re: Weird problems, unable to login as root. [In reply to]

On Fri, 11 Feb 2005, Paul Nicholas McCubbins wrote:

> Had this happen when "emerge --update world" updated the pam libs, but
> did not update shadow and login. A re-emerge of these packages fixed
> things up just fine.

Ok, but I don't remember any pam update. And my install is from 4th feb.
2005, i.e. 7 days ago... I'll check. Thanks anyway!

Best regards

Peter K

--
gentoo-security [at] gentoo mailing list

petekarl at student

Feb 11, 2005, 10:29 AM

Post #9 of 11 (1162 views)
Permalink

Re: Weird problems, unable to login as root. [In reply to]

On Fri, 11 Feb 2005, Rui Covelo wrote:

> I don't get it. Why re-formet and reinstall gentoo when .bash_history
> was of size 0?! You can delete that file anytime and your system will
> still work. You can also redirect it do /dev/null ending up with no bash
> history at all and your system will still work!

Well, according to what I've learned is that when root's account has been
exploited, and a rootkit has been installed with root priv's this has been
recorded in root's bash_history file which subsequently gets erased by
the rootkit install. I may be too paranoid... ;-)

Best regards

Peter K

--
gentoo-security [at] gentoo mailing list

rpfc at mega

Feb 11, 2005, 10:40 AM

Post #10 of 11 (1172 views)
Permalink

Re: Weird problems, unable to login as root. [In reply to]

Peter Karlsson wrote:

> Well, according to what I've learned is that when root's account has been
> exploited, and a rootkit has been installed with root priv's this has been
> recorded in root's bash_history file which subsequently gets erased by
> the rootkit install. I may be too paranoid... ;-)
>
> Best regards
>
> Peter K

Ok. Makes more sense now ;)

--
Rui Covelo
http://ruicovelo.2ya.com

--
gentoo-security [at] gentoo mailing list

Barry.Schwartz at chemoelectric

Feb 11, 2005, 11:18 AM

Post #11 of 11 (1167 views)
Permalink

Re: Weird problems, unable to login as root. [In reply to]

Paul Nicholas McCubbins <nick77 [at] dtnspeed> wrote:
> Had this happen when "emerge --update world" updated the pam libs, but
> did not update shadow and login. A re-emerge of these packages fixed
> things up just fine.

That's the kind of "revdep-rebuild" situation I suspected. The same
thing happened to me when I neglected revdep-rebuild and keeping glibc
synchronized with linux headers, though in my case what happened is I
couldn't build some things.

--
Barry.Schwartz [at] chemoelectric http://www.chemoelectric.org
"I have directed that in the future I sign each letter." -- Rumsfeld

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads