Re: reboot

Tarek · ‎11-22-2001

Hi there,
i have a problem.
I think that a user had known the root password and now he had set some privileges to himself. I have seen in the log file that this user made a reboot, so he had set privileges to himself, right?? But where?
What command did he use?
He did the same thing also on a sun, solaris8. How can i disable it on both sun and hp?
Thanks
Tarek

harry d brown jr · ‎11-22-2001

One look at /etc/shutdown.allow? - something like that.

Second, look for any program that has the "setuid" or "setgid". Do a man on find, it describes it there.

third, immediately change the root passwd.

fourth, look at /etc/passwd and /etc/group to make sure they haven't addded themselves as "root" - uid = 0.

fifth, look for .rhosts files, also check /etc/host.equiv.

sixth, go to this link and print it, it has most of what you need to "secure" your server.

http://people.hp.se/stevesk/bastion.html

seventh, go kick their butt!

live free or die
harry

Live Free or Die

G. Vrijhoeven · ‎11-22-2001

Hi,

this could be lots of things.

1. set-user-id bit on script
2. .rhosts file root
3. set priv group (only HP)
4. second userid 0 in passwd
etc.

Gideon

Darrell Allen · ‎11-22-2001

Hi,

First, change the root password.

Verify there are no other superuser accounts in /etc/passwd (uid = 0).
Check /etc/hosts.equiv and root's .rhosts file.
Look for suid root files. I think you can use find. Check the man page. I'm not at a UNIX machine right now.

You may want to consider locking his account (passwd -l loginid) until you get this straightened out. That may be a political issue in your company so you may want to be sure of your facts before doing so.

That's a start.

Darrell

"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)

RikTytgat · ‎11-22-2001

Hi,

In which logfile did you see that the user did a reboot?

Can you include the logging?

Bye,

Rik.

Marco Paganini · ‎11-22-2001

Hello tarek,

You have a long way to go to make sure your system is not compromised. If you had a "casual" user getting the root password, it may be fine. However, it's really complicated to make sure that there are no holes in the system once somebody got root privileges there.

Things to look for:

/etc/passwd and /etc/group: Check for gid=0 and uid=0 for anybody

setuid scripts and programs: Look for setuid/setgid programs. You can use find (and the -perm option) to do that. For more details, man find.

host equivalence: Check .rhosts and /etc/hosts.equiv. You'll have to check every .rhosts file in your system.

NFS: make sure your user didn't force the no_squash option.

/etc/shutdown.allow: Make sure your user didn't put his username here.

Anyway, these are some *basic* measures. If you're having security problems of this nature, you should consider tripwire or something else that checks your entire system. Also, don't forget that he may have installed a "rootkit" allowing him to come back later even if you take care of all obvious holes.

Hope it helps,
Paga

Keeping alive, until I die.

Frank Li · ‎11-22-2001

Beside above , he maybe issue " sam -r " command to assign shutdown/reboot right to himself .

Hi Friend

Sanjay_6 · ‎11-22-2001

Hi Tarek,

I'm surprised you have a user who even if he knows the root password, rebooted a system he is not supposed to. What kind of environment you have over there. I don't think i have a user who can pull such a stunt on me, will certainly like to kick his, you know what. Happy hunting.

Regds

Steven Sim Kok Leong · ‎11-22-2001

Hi,

I would suggest that you enable your HP-UX to be trusted so that you can enable auditing of both users and system calls.

Though the log may be considerable, it may be worthwhile in your case to identify the user and the procedure used in the reboot.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Deepak Extross · ‎11-22-2001

Well, since you know who this smartass user is, why don't you first check his $HOME/.sh_history file for clues?

Roger Baptiste · ‎11-22-2001

1) Change the root password

2) Make your system Trusted

3) Check the system for suid files:
find / -type f $ -perm -04000 -o -perm -02000 $ \-exec ls -lg {} \;

Quickly scan through each of these files and see whether there is anything which is not supposed to be there. This is usually a favourite backdoor method of hackers or troublemakers to gain root access to the system.

If possible, bump the userid out of the system or atleast make it a issue with the management. In development environments i know programmers plant backdoors to gain root access for downloading and installing applications. But, Rebooting is a joke.
Just don't treat it as one.

-raj

Take it easy.

Tarek · ‎11-23-2001

Thanks all for your replies. For hp it's ok, but on Sun?? Can someone give me a tip?
In the passwd the gid and the uid are set as normal user. (It was the first thing i checked before asking this form). The log file i checked was the syslog.log. However i solved on hp, he had put his name in the shutdown.allow
Now i need a help on Sun if possible.
Thanks again.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: reboot

reboot

Re: reboot

Re: reboot

Re: reboot

Re: reboot

Re: reboot

Re: reboot

Re: reboot

Re: reboot

Re: reboot

Re: reboot

Re: reboot