On 16 Feb 2011 12:34, "Nico Kadel-Garcia" nkadel@gmail.com wrote:
Uh-oh. Has your developer, or you, been editing the /etc/passwd, /etc/shadow, /etc/group, or /etc/gshadow files manually?
Nope.
And do you use NIS or LDAP for authentication?
Nope.
And this is a publicly exposed webserver, right? How fast can you rebuild it if it's been rootkitted?
How long is a peice of string? As quick as I can reupload the data, but thats another issue for another day.
Check the /etc/shadow and /etc/group for consistent numbers of entries, and /etc/group and /etc/gshadow.
Do you mean duplicate entries? If so there are none of those.
Do you have other users who can still log in or not?
There is only the root and web dev user on this box.
Thanks for your input Nico :)
--James. (This email was sent from a mobile device)
On Wed, Feb 16, 2011 at 7:43 AM, James Bensley jwbensley@gmail.com wrote:
On 16 Feb 2011 12:34, "Nico Kadel-Garcia" nkadel@gmail.com wrote:
Uh-oh. Has your developer, or you, been editing the /etc/passwd, /etc/shadow, /etc/group, or /etc/gshadow files manually?
Nope.
And do you use NIS or LDAP for authentication?
Nope.
And this is a publicly exposed webserver, right? How fast can you rebuild it if it's been rootkitted?
How long is a peice of string? As quick as I can reupload the data, but thats another issue for another day.
Check the /etc/shadow and /etc/group for consistent numbers of entries, and /etc/group and /etc/gshadow.
Do you mean duplicate entries? If so there are none of those.
No, I mean the sam enumber of entries.
wc /etc/shadow /etc/passwd cut -f1 -d: /etc/shasow /etc/passwd | sort | uniq -c
And actually go line by line down these files, checking for matching usernames, correct layout of ':' separated entries, correct numbers of entries, and blank lines. I've seen serous problems where one or ther other of these files were corrupted by something, especially badly written installer scripts that only edited /etc/passwd directly and ignored /etc/shadow, or which mishandled "$" entries in newly created encrypted passwords.
Do you have other users who can still log in or not?
There is only the root and web dev user on this box.
Thanks for your input Nico :)
--James. (This email was sent from a mobile device)
Are you *sure*? Can you back this thing up for review and rebuilding? It might be safest to image it for analysis and simply rebuild it.
Nico Kadel-Garcia wrote:
On Wed, Feb 16, 2011 at 7:43 AM, James Bensley jwbensley@gmail.com wrote:
On 16 Feb 2011 12:34, "Nico Kadel-Garcia" nkadel@gmail.com wrote:
<snip>
Do you have other users who can still log in or not?
There is only the root and web dev user on this box.
<snip> What does lastlog | grep -v Never show you?
mark
On 16 February 2011 14:17, m.roth@5-cent.us wrote:
What does lastlog | grep -v Never show you?
Hi Mark,
This has shown something (potentially) interesting:
[root@server ~]# lastlog | grep -v Never Username Port From Latest root pts/2 x.x.x.x Wed Feb 16 13:41:40 +0000 2011 webmaster pts/2 y.y.y.y Sun Dec 14 03:46:07 +0000 2008
So, I am logged in as root right now, however, the 'webmaster' entry is what is interesting me. The y.y.y.y address is the web dev's address (he hasn't logged in since sunday, he notified my yesterday when he tried to get back on that he couldn't).
However he always uses the webdev account which lastlog shows as never logged in, so when accessing the VPS as the webdev user account are we somehow actually accessing the VPS as webmaster? Is it possible the VPS providers performed some crazy voodoo magic here?
Perhaps I should change the password for the webmaster account (this doesn't have one according to the passwd file), so I could 'su - webmaster', set a password and then try and login as the webdev user? Or is this possibly going to make matters worse?
On 02/16/11 6:27 AM, James Bensley wrote:
However he always uses the webdev account which lastlog shows as never logged in, so when accessing the VPS as the webdev user account are we somehow actually accessing the VPS as webmaster? Is it possible the VPS providers performed some crazy voodoo magic here?
does webdev and webmaster have the same UID in /etc/passwd ?
No
--James. (This email was sent from a mobile device)
-
James Bensley -
John R Pierce -
m.roth@5-cent.us -
Nico Kadel-Garcia