su fails

su fails

[Andrew Langdon-Davies]

As of a few days ago, when I do 'su' and enter the password at the prompt I 
get turned down with the reply 'Sorry'. I can login normally as either root 
or normal user. I have tried changing passwords but it makes no difference. 
It happens in text mode and with X running. This is Slackware 9.0 with 
windowmaker.
Is it possible something got messed up when I tried (unsuccesfully) to 
install Alsa the other day? I compiled, installed and removed several 
packets, including an rpm packet of modules using the nodeps option. 
Another thing that stopped working at about the same time was Lilo, which 
was on the root partition and now will only work from anywhere but there. 
From the root partition now I get the Lilo/Windows menu followed by a blank 
screen if I select Lilo. Windows works OK. I have no problems if I install 
Lilo on the MBR or a floppy.
So far, everything else seems to be working all right.
Sorry if this sounds a bit vague but I'm rather mystified myself.
TIA
Andrew
-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: su fails

[Ray Olszewski]

At 01:04 PM 7/14/2003 +0200, Andrew Langdon-Davies wrote:

>As of a few days ago, when I do 'su' and enter the password at the prompt 
>I get turned down with the reply 'Sorry'.

Does it say *only* "Sorry" or actually something like this (note the extra 
line):

         autovcr@kuryakin:~$ su
         Password:
         su: Authentication failure
         Sorry.
         autovcr@kuryakin:~$

>  I can login normally as either root or normal user. I have tried 
> changing passwords but it makes no difference. It happens in text mode 
> and with X running. This is Slackware 9.0 with windowmaker.

In my experience, a problem like this one (occurring in isolation) usually 
means a PAM problem. I don't know how Slackware has PAM set up, but Debian 
does it with a directory called  /etc/pam.d . Look there (or somewhere 
equivalent on Slackware) for an entry for "su" that tells PAM how to handle 
password requests from the su program. See if it got messed up somehow.

>Is it possible something got messed up when I tried (unsuccesfully) to 
>install Alsa the other day? I compiled, installed and removed several 
>packets, including an rpm packet of modules using the nodeps option.

Possible? Of course, though offhand I cannot see why ALSA would have any 
effect on encryption issues. So I'd guess not *likely* ... though I'd feel 
more confident about that guess if I knew what the "several packets" were, 
and especially what the anonymous "rpm packet of modules using the nodeps 
option" actually was.

>Another thing that stopped working at about the same time was Lilo, which 
>was on the root partition and now will only work from anywhere but there.
> From the root partition now I get the Lilo/Windows menu followed by a 
> blank screen if I select Lilo. Windows works OK. I have no problems if I 
> install Lilo on the MBR or a floppy.

Do you mean lilo the Linux application (used to install and configure the 
bootloader) or lilo the bootloader ityself (usually installed in the MBR of 
hda)?

If we are talking about the bootloader failing ... did you run the (Linux) 
"lilo" command anywhere along the way as part of your setup change? Or did 
you do any BIOS fiddling? Or did you make any changes to your kernel (since 
you mention ALSA, this seems at least plausible) then *not* run the (Linux) 
lilo command to update the bootloader? Is the information in /etc/lilo.conf 
accurate?

If we are talking about the application failing ... please describe what 
you do in more detail.

>So far, everything else seems to be working all right.
>Sorry if this sounds a bit vague but I'm rather mystified myself.

I'm afraid it does seem vague. I hope my questions at least serve to 
clarify the problem description, even if they do not directly lead you to a 
solution.



-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: su fails

[Andrew Langdon-Davies]

------- Forwarded message -------
Oops, Sorry
> On Mon, 14 Jul 2003 08:15:00 -0700, Ray Olszewski <ray@comarre.com> 
> wrote:
>
>> At 01:04 PM 7/14/2003 +0200, Andrew Langdon-Davies wrote:
>>
>>> As of a few days ago, when I do 'su' and enter the password at the 
>>> prompt I get turned down with the reply 'Sorry'.
>>
>> Does it say *only* "Sorry" or actually something like this (note the 
>> extra line):
>>
>> autovcr@kuryakin:~$ su
>> Password:
>> su: Authentication failure
>> Sorry.
>> autovcr@kuryakin:~$
>
> It says only "Sorry"
>
>> In my experience, a problem like this one (occurring in isolation) 
>> usually means a PAM problem.
>
> OK. Can't see anything like it. But I've reinstalled the shadow packet 
> and that has corrected the problem. Actually, I'd already tried that but 
> I think the other time I didn't uninstall the old one first.
>
> The lilo bit is not actually a problem as it is working fine from the 
> MBR. But just for the record, it was originally installed on the linux 
> root partition, /dev/hda2. When the su problem turned up, one thing I did 
> was reboot (that shows I'm an ex-Windows user!). At the red box with the 
> menu I chose Linux and the monitor went blank and then powered down. It 
> did the same every time. I booted with a rescue disk, ran fsck, checked 
> fstab and lilo.conf, ran lilo, reconfigured with liloconfig, tried 
> rebooting again after each change, first running lilo each time, to no 
> avail. Then I tried installing lilo on a floppy, which worked, so then I 
> installed it on the MBR. As that works fine I'm leaving it alone for now. 
> It would be nice to know what happened, though.
> Thanks anyway,
> Andrew



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: su fails

[pa3gcu]

On Monday 14 July 2003 19:52, Andrew Langdon-Davies wrote:
> >> su: Authentication failure
> >> Sorry.
> >> autovcr@kuryakin:~$
> >
> > It says only "Sorry"
> >

NO it does not, it says, "Authentication failure" and then sorry.

I have encoured a simalar problem years ago, my problem was caused by a disk 
that was 100% full.
It may seem strange but AFAI see it, if the disk is full syslog(d) cannot 
write to /var/log/syslog and rejects connections, at least that is what i 
belive happend to me.

-- 
If the Linux community is a bunch of theives because they
try to imitate windows programs, then the Windows community
is built on organized crime.

Regards Richard
pa3gcu@zeelandnet.nl
http://people.zeelandnet.nl/pa3gcu/



-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: su fails

[Andrew Langdon-Davies]

>> >
>> > It says only "Sorry"
>> >
>
> NO it does not, it says, "Authentication failure" and then sorry.
>
I can assure you, sir, in spite of your block capitals, that it said just 
"Sorry". Which also surprised me, I may say, and attracted Mr Oswelski's 
attention too. I thought at the time it was a touch curt by Linux 
standards. But, as I say, I reinstalled shadow and it is now back to 
normal. So let us let bygones be bygones as I have no intention of 
reproducing the error to prove what I say.
Thanks for taking the trouble to write.
Andrew
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: su fails

[Andrew Langdon-Davies]

On Mon, 14 Jul 2003 15:39:01 -0700, Stephen Samuel <samuel@bcgreen.com> 
wrote:

> It sounds to me like you've been rooted, and somebody installed
> a trojan.  I'd do a full hunt for signs of a rootkit. When in
> doubt (especially if there are ony a few people on your system),
> I'd just load a new OS and migrate the user data over to it.


Now you've got me worried. What would signs of a rootkit be? I thought 
reinstalling shadow had put everything right, but there are still hiccups. 
For example, although I can now su again --that is, it now recognises the 
password-- if I give the wrong password I still get just 'sorry'. Lilo 
failed to load again and I have had to reinstall it. And I get a very 
strange message in my user .xsession-errors file. It says:
'stderr is not a tty - where are you?'
Do I assume the worst?
For what it's worth, GRC reports most ports as stealthed and 113 IDENT and 
5000 UPnP as closed.
TIA,
Andrew
 
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: su fails

[Ray Olszewski]

At 12:20 PM 7/15/2003 +0200, Andrew Langdon-Davies wrote:
>On Mon, 14 Jul 2003 15:39:01 -0700, Stephen Samuel <samuel@bcgreen.com> wrote:
>
>>It sounds to me like you've been rooted, and somebody installed
>>a trojan.  I'd do a full hunt for signs of a rootkit. When in
>>doubt (especially if there are ony a few people on your system),
>>I'd just load a new OS and migrate the user data over to it.
>
>
>Now you've got me worried.

I don't want to sound like Pollyanna, but interpreting your initial trouble 
report as evidence of a breakin seems to me like an enormous leap. I didn't 
see Stephen's full reply (was it sent to the list? I can't find it here), 
but I would encourage him to explain *why* he interprets the report as an 
indication that "you've been rooted, and somebody installed a trojan". 
Especially when your initial report indicated that you had installed an 
unspecified number of unnamed packages (including one that require you to 
use a forcing parameter to install) recently.

>What would signs of a rootkit be?

Tough question. Rootkits are designed to hide themselves, so a well-written 
one would leave no signs. There was a good set of articles on intrustion 
detection about a year ago in Dr. Dobbs Journal, but they are probably not 
frely available online anywhere. Generally, you need to examine your system 
for instances of anomalous behavior, pretty much what you are already doing.

I would not associate *failure* of the "su" program with use of a rootkit 
... at least not a *good* rootkit. It isn't being very stealthy, after all. 
Nor does it deny you root access to the system.

>I thought reinstalling shadow had put everything right, but there are 
>still hiccups. For example, although I can now su again --that is, it now 
>recognises the password-- if I give the wrong password I still get just 
>'sorry'.

I presume you mean "Sorry." This is not a quibble; it is an example of the 
kind of thing (a capitalization difference, and a missing period) you look 
for to spot a (clumsy) trojan. But whether your result matches what Richard 
and I expect matters less than whether it has changed from what it used to 
do (or, if you don't remember, what a similar Slackware system normally 
does). Linux systems do vary in their details, and I don't run Slackware 
here, so expecting my responses to match yours *exactly* is too much to ask 
... certainly not a justification for reinstalling the OS.

Do you recall if you used to get a response more like the one Richard and I 
posted here? If you did, and now it is different, this change means either 
you inadvertantly changed something, or someone else deliberately changed 
something.

>Lilo failed to load again and I have had to reinstall it.

Without details of your setup, this one is impossible to diagnose. But why 
would a rootkit mess with the bootloader?

>And I get a very strange message in my user .xsession-errors file. It says:
>'stderr is not a tty - where are you?'

Context, please. Is that the full line? How do you normally run X? What userid?

>Do I assume the worst?
>For what it's worth, GRC reports most ports as stealthed and 113 IDENT and 
>5000 UPnP as closed.

Does it report ANY ports as open? What does "netstat -ln" report?

What sort of Internet connection do you have? Do other users have physical 
access to the system, or remote access to shell accounts? What services do 
you normally run? Are you keeping up to date on security patches for 
Slackware? Do your logs show anything unusual? Are there any implausible 
logins (reported by "last")? Do you run an iptables-based (or ipchains-) 
firewall on the system (or does the system run behind a NAT'ing firewall)? 
What kernel, and it is patched for the recent rash of kernel-level security 
problems I saw reported (on the debian-security list)?

You need not post the answers to these questions. (Though feel free to do 
so if you like.)  I offer them as the kinds fo questions one asks when 
evaluating the likelihood of a breakin.



-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: su fails

[Andrew Langdon-Davies]

>>> It sounds to me like you've been rooted, and somebody installed
>>> a trojan.  I'd do a full hunt for signs of a rootkit. When in
>>> doubt (especially if there are ony a few people on your system),
>>> I'd just load a new OS and migrate the user data over to it.
>
> I don't want to sound like Pollyanna, but interpreting your initial 
> trouble report as evidence of a breakin seems to me like an enormous 
> leap.
>> I thought reinstalling shadow had put everything right, but there are 
>> still hiccups. For example, although I can now su again --that is, it 
>> now recognises the password-- if I give the wrong password I still get 
>> just 'sorry'.
>
> I presume you mean "Sorry."

I do indeed.

> Do you recall if you used to get a response more like the one Richard and 
> I posted here?

I can't remember. In a similar situation Slackware 7.1 does give a longer 
response.

>> Lilo failed to load again and I have had to reinstall it.
>
> Without details of your setup, this one is impossible to diagnose. But 
> why would a rootkit mess with the bootloader?

I'll leave that one till I've had a chance to try it again.
>
>> And I get a very strange message in my user .xsession-errors file. It 
>> says:
>> 'stderr is not a tty - where are you?'
>
> Context, please. Is that the full line? How do you normally run X? What 
> userid?
This one bugs me a bit. That's the complete message. It turns up twice 
(repeated) in the .xsession-errors file in my home directory. X is started 
by xdm from rc.4. It starts with a login screen and I log in as normal 
user. I use the Window Maker window manager.

>
>> GRC reports most ports as stealthed and 113 IDENT and 5000 UPnP as 
>> closed.
>
> Does it report ANY ports as open?
No

What does "netstat -ln" report?
Nothing that looks suspicious to me, but I'll study the manual first of 
all.
One more thing: as normal user I also found I couldn't mount floppies or 
cds (in spite of the 'user' option in fstab) Reinstalling the util-linux 
packet has put that right. I think I put one very large foot in the works, 
nothing more sinister. No-one else has physical access to the system
Thanks for your help,
Andrew 
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: su fails

[Alan Bort]

Well... I think bash actually has a builtin su... so if you reinstall
bash (not a very big package anyway)... it might help. since you've
already installed shadow again...

Anyway... I agee with the (quote)'I'd just load a new OS and migrate the
user data over to it.'(/quote) idea...

El mar, 15-07-2003 a las 12:38, Andrew Langdon-Davies escribió:
> >>> It sounds to me like you've been rooted, and somebody installed
> >>> a trojan.  I'd do a full hunt for signs of a rootkit. When in
> >>> doubt (especially if there are ony a few people on your system),
> >>> I'd just load a new OS and migrate the user data over to it.
> >
> > I don't want to sound like Pollyanna, but interpreting your initial 
> > trouble report as evidence of a breakin seems to me like an enormous 
> > leap.
> >> I thought reinstalling shadow had put everything right, but there are 
> >> still hiccups. For example, although I can now su again --that is, it 
> >> now recognises the password-- if I give the wrong password I still get 
> >> just 'sorry'.
> >
> > I presume you mean "Sorry."
> 
> I do indeed.
> 
> > Do you recall if you used to get a response more like the one Richard and 
> > I posted here?
> 
> I can't remember. In a similar situation Slackware 7.1 does give a longer 
> response.
> 
> >> Lilo failed to load again and I have had to reinstall it.
> >
> > Without details of your setup, this one is impossible to diagnose. But 
> > why would a rootkit mess with the bootloader?
> 
> I'll leave that one till I've had a chance to try it again.
> >
> >> And I get a very strange message in my user .xsession-errors file. It 
> >> says:
> >> 'stderr is not a tty - where are you?'
> >
> > Context, please. Is that the full line? How do you normally run X? What 
> > userid?
> This one bugs me a bit. That's the complete message. It turns up twice 
> (repeated) in the .xsession-errors file in my home directory. X is started 
> by xdm from rc.4. It starts with a login screen and I log in as normal 
> user. I use the Window Maker window manager.
> 
> >
> >> GRC reports most ports as stealthed and 113 IDENT and 5000 UPnP as 
> >> closed.
> >
> > Does it report ANY ports as open?
> No
> 
> What does "netstat -ln" report?
> Nothing that looks suspicious to me, but I'll study the manual first of 
> all.
> One more thing: as normal user I also found I couldn't mount floppies or 
> cds (in spite of the 'user' option in fstab) Reinstalling the util-linux 
> packet has put that right. I think I put one very large foot in the works, 
> nothing more sinister. No-one else has physical access to the system
> Thanks for your help,
> Andrew 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
-- 
Alan Bort
Linux Registered User 298277 -Country Manager- [http://counter.li.org]
[ http://www.linuxquestions.org ] Username: Ciccio
[ http://es.tldp.org ]
Ciccio.-

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: su fails

[Mr. James W. Laferriere]

	Hello Alan ,

On Tue, 15 Jul 2003, Alan Bort wrote:
> Well... I think bash actually has a builtin su... so if you reinstall
	Fyi ,  bash (as of 2.05b.0(1)-release) does not have a builtin
	of "su" .  try typing 'help' at the bash shell prompt for one .
	Then just do either (or both) "man bash" or "info bash" .

> bash (not a very big package anyway)... it might help. since you've
> already installed shadow again...
>
> Anyway... I agee with the (quote)'I'd just load a new OS and migrate the
> user data over to it.'(/quote) idea...
	Now here I'd probably agree IF there is even the slightest doubt
	that the system may have been compromised ,  Clear it & start
	fresh .  Be extremely careful of re-applying the user(s) data .
		Hth ,  JimL
...snip...
-- 
       +------------------------------------------------------------------+
       | James   W.   Laferriere | System    Techniques | Give me VMS     |
       | Network        Engineer |     P.O. Box 854     |  Give me Linux  |
       | babydr@baby-dragons.com | Coudersport PA 16915 |   only  on  AXP |
       +------------------------------------------------------------------+
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: su fails

[Andrew Langdon-Davies]

> 	Now here I'd probably agree IF there is even the slightest doubt
> 	that the system may have been compromised ,  Clear it & start
> 	fresh .  Be extremely careful of re-applying the user(s) data .
> 		Hth ,  JimL
> ...snip...
I know this is a very wide-open question, but how likely really is it that 
my system has been compromised? I use a coyote firewall on a dedicated 486 
with a dial-up ppp connection. I connect a few hours every day and I 
actually switch off the modem at night. There are two machines behind the 
coyote and only one is giving signs of anything odd (the one I was messing 
about on the other day just before the problems started).
By the way, Lilo is behaving perfectly again.
But what about the
'stderr is not a tty - where are you?'
???
TY
Andrew


-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: su fails

[Ray Olszewski]

At 08:20 PM 7/15/2003 +0200, Andrew Langdon-Davies wrote:

>>         Now here I'd probably agree IF there is even the slightest doubt
>>         that the system may have been compromised ,  Clear it & start
>>         fresh .  Be extremely careful of re-applying the user(s) data .
>>                 Hth ,  JimL
>>...snip...
>I know this is a very wide-open question, but how likely really is it that 
>my system has been compromised? I use a coyote firewall on a dedicated 486 
>with a dial-up ppp connection. I connect a few hours every day and I 
>actually switch off the modem at night. There are two machines behind the 
>coyote and only one is giving signs of anything odd (the one I was messing 
>about on the other day just before the problems started).

You are right to ask this question. "Reinstall the OS" is easy to say, but 
time-consuming to do. Especially if the system is at all customized (and 
what system isn't?).

Assuming the machines are physically secure (so we can rule out a *local* 
compromise ... you don't say if, for example, you have a teen-ager in the 
house), the likelihood of a compromise in this setting is extremely low. 
Your IP address probably changes every time you connect. Unless you are 
forwarding ports from the router to the Slackware host, no off-site machine 
an initiate a connection to that host, even if something on the Slackware 
host is listening (the NAT prevents it).

Unaddresed possibilities do include:

1. That you somehow were tricked into downloading and installing a trojan 
app on the Slackware host. This is unlikely if you've stuck to "official" 
Slackware update sites, and not even all that likely if you've downloaded 
the sourcve of well-known apps from their sites and installed them. But if 
you installed anything obscure, consider it carefully.

2. You don't say what the other system is, so I'll assume the worst, that 
it runs Windows. Here, the potential for compromise is greater ... more 
trojans target Windows, and active-content capabilities in the core apps 
are an easy vector for contamination, and P2P and IM applications are good 
at making hols in firewalls. So there too, consider what has been 
downloaded. (Once any machine on the LAN is compromised, you have to allow 
for the possibility that it provided a path to compromise other machines.)

3. The Coyote firewall/router may have been compromised. I haven't looked 
at Coyote for years, so I don't know if it is keeping up with security 
patches. How risky this is depends on what the firewall/router runs, but 
risk candidates include kernel-level problems, BIND problems, ssh problems 
... that's what I can think of offhand.

None of us has the information needed to assess these risks. You do.

>By the way, Lilo is behaving perfectly again.
>But what about the
>'stderr is not a tty - where are you?'

I tried a few things here and could not get that message to turn up. But my 
Debian systems are different in detail from your Slackware system, so 
that's not definitive. Normally, whan you start X from a console (using 
startx, most often), both STDOUT and STDERR are mapped to that console. 
With xdm, there is no console to map them to, so an xdm start **might** 
generate that sort of message (does your xdm have a small window, probably 
in the lower right, that logs info? if not, this guess gets more 
convincing). Or they might be an old leftover of some time when that userid 
tried to start X in some way that did not work. But the really odd thing is 
that there is no reason why STDERR *should* be a tty; it is common to 
redirect STDERR to a file (in fact, it is a common practice when debugging 
X problems). So the message is, in a way, objecting to a commonplace practice.

In the absence of something else suggestive (and the other symptoms you've 
discussed here do not count), I would disregard this one.



-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: su fails

[Andrew Langdon-Davies]

>>
>> Unaddresed possibilities do include:
>>
>> 1. That you somehow were tricked into downloading and installing a 
>> trojan app on the Slackware host. This is unlikely if you've stuck to 
>> "official" Slackware update sites, and not even all that likely if 
>> you've downloaded the sourcve of well-known apps from their sites and 
>> installed them. But if you installed anything obscure, consider it 
>> carefully.
> I'll check that out.
>>
>> 2. You don't say what the other system is, so I'll assume the worst, 
>> that it runs Windows.
> Mandrake 9.0. There's a WinXP installation on it but I haven't run it for 
> months.
>>
>> 3. The Coyote firewall/router may have been compromised. I haven't 
>> looked at Coyote for years, so I don't know if it is keeping up with 
>> security patches. How risky this is depends on what the firewall/router 
>> runs, but risk candidates include kernel-level problems, BIND problems, 
>> ssh problems ... that's what I can think of offhand.
> I'll check that out too.
>>
>>> 'stderr is not a tty - where are you?'
>>
>> With xdm, there is no console to map them to, so an xdm start **might** 
>> generate that sort of message (does your xdm have a small window, 
>> probably in the lower right, that logs info?
> No
> if not, this guess gets more
>> convincing). Or they might be an old leftover of some time when that 
>> userid tried to start X in some way that did not work. But the really 
>> odd thing is that there is no reason why STDERR *should* be a tty; it is 
>> common to redirect STDERR to a file (in fact, it is a common practice 
>> when debugging X problems). So the message is, in a way, objecting to a 
>> commonplace practice.
> More info:
> cat lastlog:
> ~?tty30?pts/1(fqdn Mandrake9.0 machine)sh-2.05b$
> The file is 292292 bytes. This message could have something to do with a 
> tunnel I was trying at a time when the Slackware host was running a 
> different (Suse) installation. Right?
> cat faillog:
> pts/0ü
> ?tty5
> 1/4?
> (The 1/4 actually appears in small script without the slash). The file is 
> 24024 bytes.
> Translation anyone?
> TIA,
> Andrew
>



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: su fails

[Ray Olszewski]

At 01:06 PM 7/15/2003 -0400, Alan Bort wrote:
>Well... I think bash actually has a builtin su... so if you reinstall
>bash (not a very big package anyway)... it might help. since you've
>already installed shadow again...

On what basis do you think this to be true?

  I've never heard of such a capability in bash, and implementing it would 
(at least on today's systems, ones with passwords in /etc/shadow) introduce 
some security problems that a standalone su can minimize, if not eliminate.

Just to double check, I searched an online version of the bash man page for 
the string "su". It never appears, except as part of words like "subshell" 
and "substitute".

I hesitate actually to say that you are wrong, Alan, because it is always 
possible that I missed something. But I do think it worth asking how 
well-based your belief is.



-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: su fails

[Stephen Samuel]

I haven't had the timer for a full report, but, althought I'm not
CLEAR that his box has been rooted, things like minor changes to
su, and other wierd things failing are signs of a rootkit (yes,
a clumsy one) being installed.  Having su suddenly start to
give different messages is a sign  that SOMEBODY has changed
SOMETHING.

If you can't show that you changed it, then you have to presume
that somebody else has.

At the very least, I think he should run something like chkrootkit to see
if any well-known root kit is being used.

Alan Bort wrote:
> Well... I think bash actually has a builtin su... so if you reinstall
> bash (not a very big package anyway)... it might help. since you've
> already installed shadow again...
> 
> Anyway... I agee with the (quote)'I'd just load a new OS and migrate the
> user data over to it.'(/quote) idea...
> 
> El mar, 15-07-2003 a las 12:38, Andrew Langdon-Davies escribió:
> 
>>>>>It sounds to me like you've been rooted, and somebody installed
>>>>>a trojan.  I'd do a full hunt for signs of a rootkit. When in
>>>>>doubt (especially if there are ony a few people on your system),
>>>>>I'd just load a new OS and migrate the user data over to it.
>>>
>>>I don't want to sound like Pollyanna, but interpreting your initial 
>>>trouble report as evidence of a breakin seems to me like an enormous 
>>>leap.
>>>
>>>>I thought reinstalling shadow had put everything right, but there are 
>>>>still hiccups. For example, although I can now su again --that is, it 
>>>>now recognises the password-- if I give the wrong password I still get 
>>>>just 'sorry'.


-- 
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
		   http://www.bcgreen.com/~samuel/
    Powerful committed communication. Transformation touching
        the jewel within each person and bring it to life.

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: su fails

[Andrew Langdon-Davies]

On Wed, 16 Jul 2003 18:11:10 -0700, Stephen Samuel <samuel@bcgreen.com> 
wrote:

> I haven't had the timer for a full report, but, althought I'm not
> CLEAR that his box has been rooted, things like minor changes to
> su, and other wierd things failing are signs of a rootkit (yes,
> a clumsy one) being installed.  Having su suddenly start to
> give different messages is a sign  that SOMEBODY has changed
> SOMETHING.

It's not actually certain it has.

> At the very least, I think he should run something like chkrootkit to see
> if any well-known root kit is being used.

I've taken your advice here and the only possible anomaly it comes up with 
is "Warning: '//root/.sc_history' file size is zero".
All the rest is "nothing found", "not infected", "nothing detected", "not 
found", and "nothing deleted". Search for uspicious files and directories 
turns up 2 .packlist files, which I gather is fairly normal. One is 
identical to the one on the installation CD and the other corresponds with 
the Foo-matic packet I installed.
Now can I relax and have a beer?
Thanks,
Andrew
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: su fails

[beolach]

--- Ray Olszewski <ray@comarre.com> wrote:
>>
>>I thought reinstalling shadow had put everything right, but there are
>>still hiccups. For example, although I can now su again --that is, it
>>now
>>recognises the password-- if I give the wrong password I still get
>>just 'sorry'.
>
>I presume you mean "Sorry." This is not a quibble; it is an example of >the 
>kind of thing (a capitalization difference, and a missing period) you >look 
>for to spot a (clumsy) trojan. But whether your result matches what >Richard 
>and I expect matters less than whether it has changed from what it used >to 
>do (or, if you don't remember, what a similar Slackware system normally 
>does). Linux systems do vary in their details, and I don't run >Slackware 
>here, so expecting my responses to match yours *exactly* is too much to >ask 
>... certainly not a justification for reinstalling the OS.


I am currently usung Slackware 9.0, and on my (I'm pretty sure)
uncomprommised system a su failure only outputs "Sorry."  So I think
that this is normal for Slackware.

My brother is having a vaguely similar problem to this, but he is
unable to sign in as any non-root user, either through normal login,
su, or anything else.  I don't remember all of the details, and he
refuses to stop playing games (under M$ Windows :( ), so I can't really
ask for much help.  Once I can get the details from him, I'll start a
new thread.

Thank's in advance,
Conway S. Smith

________________________________________________________________
The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs