[CentOS] Authentication Problems

Wed Feb 16 12:50:32 UTC 2011
Nico Kadel-Garcia <nkadel at gmail.com>

On Wed, Feb 16, 2011 at 7:43 AM, James Bensley <jwbensley at gmail.com> wrote:
> On 16 Feb 2011 12:34, "Nico Kadel-Garcia" <nkadel at gmail.com> wrote:
>>
>> Uh-oh. Has your developer, or you, been editing the /etc/passwd,
>> /etc/shadow, /etc/group, or /etc/gshadow files manually?
>
> Nope.
>
>> And do you
>> use NIS or LDAP for authentication?
>
> Nope.
>
>> And this is a publicly exposed
>> webserver, right? How fast can you rebuild it if it's been rootkitted?
>
> How long is a peice of string? As quick as I can reupload the data, but
> thats another issue for another day.
>
>> Check the /etc/shadow and /etc/group for consistent numbers of
>> entries, and /etc/group and /etc/gshadow.
>
> Do you mean duplicate entries? If so there are none of those.

No, I mean the sam enumber of entries.

     wc /etc/shadow /etc/passwd
     cut -f1 -d: /etc/shasow /etc/passwd | sort | uniq -c

And actually go line by line down these files, checking for matching
usernames, correct layout of ':' separated entries, correct numbers of
entries, and blank lines. I've seen serous problems where one or ther
other of these files were corrupted by something, especially badly
written installer scripts that only edited /etc/passwd directly and
ignored /etc/shadow, or which mishandled "$" entries in newly created
encrypted passwords.

>> Do you have other users who
>> can still log in or not?
>
> There is only the root and web dev user on this box.
>
> Thanks for your input Nico :)
>
> --James. (This email was sent from a mobile device)

Are you *sure*? Can you back this thing up for review and rebuilding?
It might be safest to image it for analysis and simply rebuild it.