topic Re: reboot in Operating System - HP-UX

reboot

Tarek — Thu, 22 Nov 2001 15:30:33 GMT

Hi there,
i have a problem.
I think that a user had known the root password and now he had set some privileges to himself. I have seen in the log file that this user made a reboot, so he had set privileges to himself, right?? But where?
What command did he use?
He did the same thing also on a sun, solaris8. How can i disable it on both sun and hp?
Thanks
Tarek

Re: reboot

harry d brown jr — Thu, 22 Nov 2001 15:36:17 GMT

One look at /etc/shutdown.allow? - something like that.

Second, look for any program that has the "setuid" or "setgid". Do a man on find, it describes it there.

third, immediately change the root passwd.

fourth, look at /etc/passwd and /etc/group to make sure they haven't addded themselves as "root" - uid = 0.

fifth, look for .rhosts files, also check /etc/host.equiv.

sixth, go to this link and print it, it has most of what you need to "secure" your server.

http://people.hp.se/stevesk/bastion.html

seventh, go kick their butt!

live free or die
harry

Re: reboot

G. Vrijhoeven — Thu, 22 Nov 2001 15:37:05 GMT

Hi,

this could be lots of things.

1. set-user-id bit on script
2. .rhosts file root
3. set priv group (only HP)
4. second userid 0 in passwd
etc.

Gideon

Re: reboot

Darrell Allen — Thu, 22 Nov 2001 15:39:03 GMT

Hi,

First, change the root password.

Verify there are no other superuser accounts in /etc/passwd (uid = 0).
Check /etc/hosts.equiv and root's .rhosts file.
Look for suid root files. I think you can use find. Check the man page. I'm not at a UNIX machine right now.

You may want to consider locking his account (passwd -l loginid) until you get this straightened out. That may be a political issue in your company so you may want to be sure of your facts before doing so.

That's a start.

Darrell

Re: reboot

RikTytgat — Thu, 22 Nov 2001 16:46:09 GMT

Hi,

In which logfile did you see that the user did a reboot?

Can you include the logging?

Bye,

Rik.

Re: reboot

Marco Paganini — Thu, 22 Nov 2001 17:15:10 GMT

Hello tarek,

You have a long way to go to make sure your system is not compromised. If you had a "casual" user getting the root password, it may be fine. However, it's really complicated to make sure that there are no holes in the system once somebody got root privileges there.

Things to look for:

/etc/passwd and /etc/group: Check for gid=0 and uid=0 for anybody

setuid scripts and programs: Look for setuid/setgid programs. You can use find (and the -perm option) to do that. For more details, man find.

host equivalence: Check .rhosts and /etc/hosts.equiv. You'll have to check every .rhosts file in your system.

NFS: make sure your user didn't force the no_squash option.

/etc/shutdown.allow: Make sure your user didn't put his username here.

Anyway, these are some *basic* measures. If you're having security problems of this nature, you should consider tripwire or something else that checks your entire system. Also, don't forget that he may have installed a "rootkit" allowing him to come back later even if you take care of all obvious holes.

Hope it helps,
Paga

Re: reboot

Frank Li — Fri, 23 Nov 2001 01:12:16 GMT

Beside above , he maybe issue " sam -r " command to assign shutdown/reboot right to himself .

Re: reboot

Sanjay_6 — Fri, 23 Nov 2001 02:48:53 GMT

Hi Tarek,

I'm surprised you have a user who even if he knows the root password, rebooted a system he is not supposed to. What kind of environment you have over there. I don't think i have a user who can pull such a stunt on me, will certainly like to kick his, you know what. Happy hunting.

Regds

Re: reboot

Steven Sim Kok Leong — Fri, 23 Nov 2001 02:59:16 GMT

Hi,

I would suggest that you enable your HP-UX to be trusted so that you can enable auditing of both users and system calls.

Though the log may be considerable, it may be worthwhile in your case to identify the user and the procedure used in the reboot.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Re: reboot

Deepak Extross — Fri, 23 Nov 2001 03:23:03 GMT

Well, since you know who this smartass user is, why don't you first check his $HOME/.sh_history file for clues?

Re: reboot

Roger Baptiste — Fri, 23 Nov 2001 04:31:09 GMT

1) Change the root password

2) Make your system Trusted

3) Check the system for suid files:
find / -type f $ -perm -04000 -o -perm -02000 $ \-exec ls -lg {} \;

Quickly scan through each of these files and see whether there is anything which is not supposed to be there. This is usually a favourite backdoor method of hackers or troublemakers to gain root access to the system.

If possible, bump the userid out of the system or atleast make it a issue with the management. In development environments i know programmers plant backdoors to gain root access for downloading and installing applications. But, Rebooting is a joke.
Just don't treat it as one.

-raj

Re: reboot

Tarek — Fri, 23 Nov 2001 12:33:01 GMT

Thanks all for your replies. For hp it's ok, but on Sun?? Can someone give me a tip?
In the passwd the gid and the uid are set as normal user. (It was the first thing i checked before asking this form). The log file i checked was the syslog.log. However i solved on hp, he had put his name in the shutdown.allow
Now i need a help on Sun if possible.
Thanks again.