topic Re: manipulating login process in Operating System - HP-UX

manipulating login process

JRiggs — Mon, 01 Apr 2002 06:20:20 GMT

hi,

i have question in manipulating login process.

aside from /etc/warnings and /etc/motd are their other files that can be edited by hackers?

an experts advise would greatly help me secure our servers.

thanks in advance
Jr

Re: manipulating login process

Deepak Extross — Mon, 01 Apr 2002 07:09:11 GMT

Well actually, these "relatively harmless" files, and are not considered to be the first choice of hackers. Instead, I'd be on the lookout for root shells, trojans, unauthorised .rhosts files, executables with user-bit on, etc.
Have a look at http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x1cd9f715edc6d5118ff10090279cd0f9,00.html

Hope this helps.

Re: manipulating login process

Deepak Extross — Mon, 01 Apr 2002 07:14:55 GMT

To answer your question, a hacker (if he/she gets root permissions) can modify or delete EVERY FILE in your system.
If the security of an ordinary user (non-root) is compromised, all files owned by that user / group and all files on which that user has write permissions are vulnerable.

Re: manipulating login process

John Carr_2 — Mon, 01 Apr 2002 08:25:53 GMT

HI

YES every single file on the system and sometimes other systems when drives are mounted across networks subject to the login the hacker has entered. If he has root then the last file I would have any concern about is motd "message Of The Day" this is just a notice board.

cheers
John.

Re: manipulating login process

Bill Hassell — Mon, 01 Apr 2002 15:14:24 GMT

The first place to start with system security is the permissions of all files and most important: directories. If you have not modified /etc/profile and /etc/csh.login to include the statement: umask 022 (or perhaps the more secure: umask 077) then every file and directory created since the system was first booted is no longer trustworthy.

To see how bad is is on your system, run this command:

find /sbin /etc /dev /usr /opt -xdev -type d -o -type f perm -002 -exec /usr/bin/ll {} \;

All the files and directories listed are wide open to anyone on the system (root access is not necessary). Permissions that are 666 or 777 are big RED flags! This is especially true in /dev (for disks and tapes) as well as /etc and the rest of the operating system directories.

Re: manipulating login process

Mark Greene_1 — Mon, 01 Apr 2002 15:37:07 GMT

>To see how bad is is on your system, run this command:
>
>find /sbin /etc /dev /usr /opt -xdev -type d -o -type f perm -002 -exec /usr/bin/ll {} \;

Bill,

Thanks for posting the above, very helpful stuff. For anyone getting the error message:

find: missing conjunction

just add a dash (-) in front of perm

mark