1833882 Members
1879 Online
110063 Solutions
New Discussion

Re: Server compromised

 
George_Dodds
Honored Contributor

Server compromised

Hi it seems as if someone has been playing on one of my backup servers over the weekend.

logged in as root and received intruder alert at the prompt and root seems to have lost a lot of its permissions.

Whoami for any user bring up this intruder alert userid.

the userid isnt in the passwd file and root's .profile has not been changed.

I've took the server off the lan and checked the yslog and sulog but nothing of any use in there (this is an untrusted v11 system)

Any ideas on where i start on this.

Cheers

George
10 REPLIES 10
Patrick Wallek
Honored Contributor

Re: Server compromised

Check the permissions on your /etc/passwd file and the permissions on all other files. You could try swverify to check.

/etc/passwd permissions should be 444 (-r--r--r--) and if it is not you can see error messages similar to what you are seeing.
Kent Ostby
Honored Contributor

Re: Server compromised

This generally means that the password file is goofed up because some needed user id isn't in the /etc/password file.

Check permissions of /etc and /etc/password and overall password file (i.e. copy it onto system from a backup).

"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
Gordon  Morrison
Trusted Contributor

Re: Server compromised

George,
Have a GOOD look at your /etc/passwd file
From the symptoms, it sounds like it's either been deleted or nullified. At the very least, some users (including root) have been removed from it.

I assume you must have an old root session logged on since before this happened. Don't log off until you have recovered the passwd file.
Obviously, also check what other files may be missing/compromised.
Good luck
What does this button do?
George_Dodds
Honored Contributor

Re: Server compromised

passwd file permissions are 444
Steven E. Protter
Exalted Contributor

Re: Server compromised

On an 11.00 system a false alarm can be triggered by the root filesystem getting full.

That can compress /etc/group or /etc/passwd to zero bytes.

Its also possible someone has been playing.

I'd recommend a thorough check of the system, including a scan for back doors.

A back door can be a copy of the shell with suid set on it. Consultants and miscreants commonly set such trapdoors so they can get in again in the future.

I'd also recommend a commerical program called tripwire.

It monitors binaries and configuration and can alert you of unauthorized changes. Hackers will often substitute their own programs for normal commands. Their programs will install back doors and do all kinds of bad things.

Finally, I'd get Bastille onto this system and harden it.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Kent Ostby
Honored Contributor

Re: Server compromised

George .. you need to also check the permissions of / and /etc as well as viewing the file via more or cat to see if it looks "reasonable".

"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
S.Rider
Regular Advisor

Re: Server compromised

Had a similar problem in a past life when someone edited /etc/passwd and had some difficulty remembering how to get out. Kinda obvious since the first line started with ":qot:0:". Since then, I've put a dummy user as the first line in all my /etc/passwd files so the root entry won't get clobbered in a case like this.
Yeah, Yeah, I know he should have used "vipw" but sometimes it's hard to protect against managers that insist on showing off their "vo skills". 8-)
Ride Boldly Ride, but watch out for El Dorado's
George_Dodds
Honored Contributor

Re: Server compromised

Right there is a possibility that the root permissions problem could be down to a duff passwd synching script on another server.

But i cant explain the root prompt change and the response from whoami for all users.

The exact prompt is

Intruder Alert.@servername

There is an old version of tripwire on this server but i havent read anything that says it would throw up an alert in this way.

With a bit of luck it may just be down to a duff script but i'm using it as an excuse to moved to a more secure setup.

Any ideas on the prompt issue?

Ta

George
john korterman
Honored Contributor

Re: Server compromised

Hi,

Document id: BH9104032020
http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000007949869
(ancient document, I know)
but it states that a system under certain circumstances of changed file permissions may display "Intruder alert" instead of the user's name. Perhaps the .profile could be responsible for the rest of the prompt.


regards,
John K.

it would be nice if you always got a second chance
George_Dodds
Honored Contributor

Re: Server compromised

Figured it out, the script that updates the passwords from 1 server to the affected server for some reason put a blank line at the top of the passwd file.

As soon as this is done the kernel must spit out the intruder alert warning at the prompt.

I deleted the blank line and all is back to normal.

At least i learnt something new today :)