HPE Community
Operating System - HP-UX
1831115 Members
2759 Online
110020 Solutions
New Discussion

manipulating login process

 
JRiggs
Occasional Contributor

‎03-31-2002 10:20 PM

‎03-31-2002 10:20 PM

manipulating login process

hi,

i have question in manipulating login process.

aside from /etc/warnings and /etc/motd are their other files that can be edited by hackers?

an experts advise would greatly help me secure our servers.

thanks in advance
Jr


The choices you get are the choices you make
0 Kudos
Reply
5 REPLIES 5
Deepak Extross
Honored Contributor

‎03-31-2002 11:09 PM

‎03-31-2002 11:09 PM

Re: manipulating login process

Well actually, these "relatively harmless" files, and are not considered to be the first choice of hackers. Instead, I'd be on the lookout for root shells, trojans, unauthorised .rhosts files, executables with user-bit on, etc.
Have a look at http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x1cd9f715edc6d5118ff10090279cd0f9,00.html

Hope this helps.
0 Kudos
Reply
Deepak Extross
Honored Contributor

‎03-31-2002 11:14 PM

‎03-31-2002 11:14 PM

Re: manipulating login process

To answer your question, a hacker (if he/she gets root permissions) can modify or delete EVERY FILE in your system.
If the security of an ordinary user (non-root) is compromised, all files owned by that user / group and all files on which that user has write permissions are vulnerable.
0 Kudos
Reply
John Carr_2
Honored Contributor

‎04-01-2002 12:25 AM

‎04-01-2002 12:25 AM

Re: manipulating login process

HI

YES every single file on the system and sometimes other systems when drives are mounted across networks subject to the login the hacker has entered. If he has root then the last file I would have any concern about is motd "message Of The Day" this is just a notice board.

cheers
John.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎04-01-2002 07:14 AM

‎04-01-2002 07:14 AM

Re: manipulating login process

The first place to start with system security is the permissions of all files and most important: directories. If you have not modified /etc/profile and /etc/csh.login to include the statement: umask 022 (or perhaps the more secure: umask 077) then every file and directory created since the system was first booted is no longer trustworthy.

To see how bad is is on your system, run this command:

find /sbin /etc /dev /usr /opt -xdev -type d -o -type f perm -002 -exec /usr/bin/ll {} \;

All the files and directories listed are wide open to anyone on the system (root access is not necessary). Permissions that are 666 or 777 are big RED flags! This is especially true in /dev (for disks and tapes) as well as /etc and the rest of the operating system directories.


Bill Hassell, sysadmin
0 Kudos
Reply
Mark Greene_1
Honored Contributor

‎04-01-2002 07:37 AM

‎04-01-2002 07:37 AM

Re: manipulating login process

>To see how bad is is on your system, run this command:
>
>find /sbin /etc /dev /usr /opt -xdev -type d -o -type f perm -002 -exec /usr/bin/ll {} \;

Bill,

Thanks for posting the above, very helpful stuff. For anyone getting the error message:

find: missing conjunction

just add a dash (-) in front of perm

mark
the future will be a lot like now, only later
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.