topic Be Hacked: what is the login-authentication-flowchat in Operating System - Linux

Be Hacked: what is the login-authentication-flowchat

frederick van targero — Mon, 12 Aug 2002 13:48:51 GMT

i was bee hacked, one account can be login by telnet for root shell directory, but the others can't.
for normal root account can not login yet, so i think all of the secureety for telnet in /etc/ might have not bee admended;

the second, the /bin/login file is normal wich size and date,
third, once i delete the account and add the same account with the same password again, all the privious previleges disappear, so, it seems not bybass admend in login file.

now the question is : where the hacker revised so as for root telnet login?
in other words, what is the login-authentication-flowchat? i think it is pam-login-util, anything else? where can i get the source and documents?

thanks for your tips;
fredeick

ps: i do not want to reinstall my system at once, and i ususaly use ssh in place of telnet, i only want to know how the hacker can do that, and found the method to defend him.

tha

Re: Be Hacked: what is the login-authentication-flowchat

Jeffrey S. Sims — Mon, 12 Aug 2002 21:39:58 GMT

Checkout http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html for information on PAM

Also Checkout http://ctdp.tripod.com/os/linux/howlinuxworks/linux_hllogin.html for how login works.

If you have infact been compromised you should do a complete format and reload if that is possible. If that is not an option then run a check for installed trojans and rootkits as well as other exploits. Also you may want to run nmap to see what ports are open and close anything that you don't want open for traffic. You can get these tools from the internet, one for rootkits is http://www.chkrootkit.org/

Use google to find any other security scanners that you may need.

Hope it helps.

Re: Be Hacked: what is the login-authentication-flowchat

U.SivaKumar_2 — Tue, 13 Aug 2002 03:46:43 GMT

Hi,
For Defending a system against hacking , you
have understand the methods of hacking . This
will give you enough knowledge for selecting
proper firewalls or tools for the your network
security.
go through this site.
http://www.hackinglinuxexposed.com/

In your case I advise to reinstall the sytem as
soon as possible as lot of binaries will trojaned by the hacker. Some trojans may even launch a attack against some other innocent servers in internet. And prevent future attacks by knowing hacking methods from above said link.

regards,
U.SivaKumar

Re: Be Hacked: what is the login-authentication-flowchat

frederick van targero — Wed, 14 Aug 2002 03:15:13 GMT

i have assign points to both of you, why it always display "unsigned"?

Re: Be Hacked: what is the login-authentication-flowchat

K.C. Chan — Thu, 15 Aug 2002 13:21:18 GMT

Did you find out how the attacker got in? What method did he used? Please reply, so this way the rest of us can learn from it and secure our systems from future attacks regarding this exploit. Thanks.

Re: Be Hacked: what is the login-authentication-flowchat

frederick van targero — Fri, 16 Aug 2002 02:01:23 GMT

seems it comes from openssh, i use the ssh which come with RH73, version 3.1, may be it is the problem, whether it use one account(with bash of nologin) and password, can attached via openssh weakness?
where is the source and documents?
thanks

frederick

Re: Be Hacked: what is the login-authentication-flowchat

U.SivaKumar_2 — Fri, 16 Aug 2002 03:51:18 GMT

Hi,
Have a look at this advisory

http://www.cert.org/advisories/CA-2002-18.html

regards,
U.SivaKumar