* su fails @ 2003-07-14 11:04 Andrew Langdon-Davies 2003-07-14 15:15 ` Ray Olszewski 0 siblings, 1 reply; 17+ messages in thread From: Andrew Langdon-Davies @ 2003-07-14 11:04 UTC (permalink / raw) To: linux-newbie As of a few days ago, when I do 'su' and enter the password at the prompt I get turned down with the reply 'Sorry'. I can login normally as either root or normal user. I have tried changing passwords but it makes no difference. It happens in text mode and with X running. This is Slackware 9.0 with windowmaker. Is it possible something got messed up when I tried (unsuccesfully) to install Alsa the other day? I compiled, installed and removed several packets, including an rpm packet of modules using the nodeps option. Another thing that stopped working at about the same time was Lilo, which was on the root partition and now will only work from anywhere but there. From the root partition now I get the Lilo/Windows menu followed by a blank screen if I select Lilo. Windows works OK. I have no problems if I install Lilo on the MBR or a floppy. So far, everything else seems to be working all right. Sorry if this sounds a bit vague but I'm rather mystified myself. TIA Andrew -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails 2003-07-14 11:04 su fails Andrew Langdon-Davies @ 2003-07-14 15:15 ` Ray Olszewski [not found] ` <oprsa696n7hmmv6x@smtp.arrakis.es> 0 siblings, 1 reply; 17+ messages in thread From: Ray Olszewski @ 2003-07-14 15:15 UTC (permalink / raw) To: linux-newbie At 01:04 PM 7/14/2003 +0200, Andrew Langdon-Davies wrote: >As of a few days ago, when I do 'su' and enter the password at the prompt >I get turned down with the reply 'Sorry'. Does it say *only* "Sorry" or actually something like this (note the extra line): autovcr@kuryakin:~$ su Password: su: Authentication failure Sorry. autovcr@kuryakin:~$ > I can login normally as either root or normal user. I have tried > changing passwords but it makes no difference. It happens in text mode > and with X running. This is Slackware 9.0 with windowmaker. In my experience, a problem like this one (occurring in isolation) usually means a PAM problem. I don't know how Slackware has PAM set up, but Debian does it with a directory called /etc/pam.d . Look there (or somewhere equivalent on Slackware) for an entry for "su" that tells PAM how to handle password requests from the su program. See if it got messed up somehow. >Is it possible something got messed up when I tried (unsuccesfully) to >install Alsa the other day? I compiled, installed and removed several >packets, including an rpm packet of modules using the nodeps option. Possible? Of course, though offhand I cannot see why ALSA would have any effect on encryption issues. So I'd guess not *likely* ... though I'd feel more confident about that guess if I knew what the "several packets" were, and especially what the anonymous "rpm packet of modules using the nodeps option" actually was. >Another thing that stopped working at about the same time was Lilo, which >was on the root partition and now will only work from anywhere but there. > From the root partition now I get the Lilo/Windows menu followed by a > blank screen if I select Lilo. Windows works OK. I have no problems if I > install Lilo on the MBR or a floppy. Do you mean lilo the Linux application (used to install and configure the bootloader) or lilo the bootloader ityself (usually installed in the MBR of hda)? If we are talking about the bootloader failing ... did you run the (Linux) "lilo" command anywhere along the way as part of your setup change? Or did you do any BIOS fiddling? Or did you make any changes to your kernel (since you mention ALSA, this seems at least plausible) then *not* run the (Linux) lilo command to update the bootloader? Is the information in /etc/lilo.conf accurate? If we are talking about the application failing ... please describe what you do in more detail. >So far, everything else seems to be working all right. >Sorry if this sounds a bit vague but I'm rather mystified myself. I'm afraid it does seem vague. I hope my questions at least serve to clarify the problem description, even if they do not directly lead you to a solution. - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 17+ messages in thread
[parent not found: <oprsa696n7hmmv6x@smtp.arrakis.es>]
* Re: su fails [not found] ` <oprsa696n7hmmv6x@smtp.arrakis.es> @ 2003-07-14 17:52 ` Andrew Langdon-Davies 2003-07-14 18:23 ` pa3gcu 0 siblings, 1 reply; 17+ messages in thread From: Andrew Langdon-Davies @ 2003-07-14 17:52 UTC (permalink / raw) To: linux-newbie ------- Forwarded message ------- Oops, Sorry > On Mon, 14 Jul 2003 08:15:00 -0700, Ray Olszewski <ray@comarre.com> > wrote: > >> At 01:04 PM 7/14/2003 +0200, Andrew Langdon-Davies wrote: >> >>> As of a few days ago, when I do 'su' and enter the password at the >>> prompt I get turned down with the reply 'Sorry'. >> >> Does it say *only* "Sorry" or actually something like this (note the >> extra line): >> >> autovcr@kuryakin:~$ su >> Password: >> su: Authentication failure >> Sorry. >> autovcr@kuryakin:~$ > > It says only "Sorry" > >> In my experience, a problem like this one (occurring in isolation) >> usually means a PAM problem. > > OK. Can't see anything like it. But I've reinstalled the shadow packet > and that has corrected the problem. Actually, I'd already tried that but > I think the other time I didn't uninstall the old one first. > > The lilo bit is not actually a problem as it is working fine from the > MBR. But just for the record, it was originally installed on the linux > root partition, /dev/hda2. When the su problem turned up, one thing I did > was reboot (that shows I'm an ex-Windows user!). At the red box with the > menu I chose Linux and the monitor went blank and then powered down. It > did the same every time. I booted with a rescue disk, ran fsck, checked > fstab and lilo.conf, ran lilo, reconfigured with liloconfig, tried > rebooting again after each change, first running lilo each time, to no > avail. Then I tried installing lilo on a floppy, which worked, so then I > installed it on the MBR. As that works fine I'm leaving it alone for now. > It would be nice to know what happened, though. > Thanks anyway, > Andrew -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails 2003-07-14 17:52 ` Andrew Langdon-Davies @ 2003-07-14 18:23 ` pa3gcu 2003-07-14 18:48 ` Andrew Langdon-Davies 0 siblings, 1 reply; 17+ messages in thread From: pa3gcu @ 2003-07-14 18:23 UTC (permalink / raw) To: Andrew Langdon-Davies, linux-newbie On Monday 14 July 2003 19:52, Andrew Langdon-Davies wrote: > >> su: Authentication failure > >> Sorry. > >> autovcr@kuryakin:~$ > > > > It says only "Sorry" > > NO it does not, it says, "Authentication failure" and then sorry. I have encoured a simalar problem years ago, my problem was caused by a disk that was 100% full. It may seem strange but AFAI see it, if the disk is full syslog(d) cannot write to /var/log/syslog and rejects connections, at least that is what i belive happend to me. -- If the Linux community is a bunch of theives because they try to imitate windows programs, then the Windows community is built on organized crime. Regards Richard pa3gcu@zeelandnet.nl http://people.zeelandnet.nl/pa3gcu/ - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails 2003-07-14 18:23 ` pa3gcu @ 2003-07-14 18:48 ` Andrew Langdon-Davies [not found] ` <3F133105.7010309@bcgreen.com> 0 siblings, 1 reply; 17+ messages in thread From: Andrew Langdon-Davies @ 2003-07-14 18:48 UTC (permalink / raw) To: linux-newbie >> > >> > It says only "Sorry" >> > > > NO it does not, it says, "Authentication failure" and then sorry. > I can assure you, sir, in spite of your block capitals, that it said just "Sorry". Which also surprised me, I may say, and attracted Mr Oswelski's attention too. I thought at the time it was a touch curt by Linux standards. But, as I say, I reinstalled shadow and it is now back to normal. So let us let bygones be bygones as I have no intention of reproducing the error to prove what I say. Thanks for taking the trouble to write. Andrew - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 17+ messages in thread
[parent not found: <3F133105.7010309@bcgreen.com>]
* Re: su fails [not found] ` <3F133105.7010309@bcgreen.com> @ 2003-07-15 10:20 ` Andrew Langdon-Davies 2003-07-15 15:13 ` Ray Olszewski 0 siblings, 1 reply; 17+ messages in thread From: Andrew Langdon-Davies @ 2003-07-15 10:20 UTC (permalink / raw) To: linux-newbie On Mon, 14 Jul 2003 15:39:01 -0700, Stephen Samuel <samuel@bcgreen.com> wrote: > It sounds to me like you've been rooted, and somebody installed > a trojan. I'd do a full hunt for signs of a rootkit. When in > doubt (especially if there are ony a few people on your system), > I'd just load a new OS and migrate the user data over to it. Now you've got me worried. What would signs of a rootkit be? I thought reinstalling shadow had put everything right, but there are still hiccups. For example, although I can now su again --that is, it now recognises the password-- if I give the wrong password I still get just 'sorry'. Lilo failed to load again and I have had to reinstall it. And I get a very strange message in my user .xsession-errors file. It says: 'stderr is not a tty - where are you?' Do I assume the worst? For what it's worth, GRC reports most ports as stealthed and 113 IDENT and 5000 UPnP as closed. TIA, Andrew - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails 2003-07-15 10:20 ` Andrew Langdon-Davies @ 2003-07-15 15:13 ` Ray Olszewski 2003-07-15 16:38 ` Andrew Langdon-Davies 0 siblings, 1 reply; 17+ messages in thread From: Ray Olszewski @ 2003-07-15 15:13 UTC (permalink / raw) To: linux-newbie At 12:20 PM 7/15/2003 +0200, Andrew Langdon-Davies wrote: >On Mon, 14 Jul 2003 15:39:01 -0700, Stephen Samuel <samuel@bcgreen.com> wrote: > >>It sounds to me like you've been rooted, and somebody installed >>a trojan. I'd do a full hunt for signs of a rootkit. When in >>doubt (especially if there are ony a few people on your system), >>I'd just load a new OS and migrate the user data over to it. > > >Now you've got me worried. I don't want to sound like Pollyanna, but interpreting your initial trouble report as evidence of a breakin seems to me like an enormous leap. I didn't see Stephen's full reply (was it sent to the list? I can't find it here), but I would encourage him to explain *why* he interprets the report as an indication that "you've been rooted, and somebody installed a trojan". Especially when your initial report indicated that you had installed an unspecified number of unnamed packages (including one that require you to use a forcing parameter to install) recently. >What would signs of a rootkit be? Tough question. Rootkits are designed to hide themselves, so a well-written one would leave no signs. There was a good set of articles on intrustion detection about a year ago in Dr. Dobbs Journal, but they are probably not frely available online anywhere. Generally, you need to examine your system for instances of anomalous behavior, pretty much what you are already doing. I would not associate *failure* of the "su" program with use of a rootkit ... at least not a *good* rootkit. It isn't being very stealthy, after all. Nor does it deny you root access to the system. >I thought reinstalling shadow had put everything right, but there are >still hiccups. For example, although I can now su again --that is, it now >recognises the password-- if I give the wrong password I still get just >'sorry'. I presume you mean "Sorry." This is not a quibble; it is an example of the kind of thing (a capitalization difference, and a missing period) you look for to spot a (clumsy) trojan. But whether your result matches what Richard and I expect matters less than whether it has changed from what it used to do (or, if you don't remember, what a similar Slackware system normally does). Linux systems do vary in their details, and I don't run Slackware here, so expecting my responses to match yours *exactly* is too much to ask ... certainly not a justification for reinstalling the OS. Do you recall if you used to get a response more like the one Richard and I posted here? If you did, and now it is different, this change means either you inadvertantly changed something, or someone else deliberately changed something. >Lilo failed to load again and I have had to reinstall it. Without details of your setup, this one is impossible to diagnose. But why would a rootkit mess with the bootloader? >And I get a very strange message in my user .xsession-errors file. It says: >'stderr is not a tty - where are you?' Context, please. Is that the full line? How do you normally run X? What userid? >Do I assume the worst? >For what it's worth, GRC reports most ports as stealthed and 113 IDENT and >5000 UPnP as closed. Does it report ANY ports as open? What does "netstat -ln" report? What sort of Internet connection do you have? Do other users have physical access to the system, or remote access to shell accounts? What services do you normally run? Are you keeping up to date on security patches for Slackware? Do your logs show anything unusual? Are there any implausible logins (reported by "last")? Do you run an iptables-based (or ipchains-) firewall on the system (or does the system run behind a NAT'ing firewall)? What kernel, and it is patched for the recent rash of kernel-level security problems I saw reported (on the debian-security list)? You need not post the answers to these questions. (Though feel free to do so if you like.) I offer them as the kinds fo questions one asks when evaluating the likelihood of a breakin. - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails 2003-07-15 15:13 ` Ray Olszewski @ 2003-07-15 16:38 ` Andrew Langdon-Davies 2003-07-15 17:06 ` Alan Bort 0 siblings, 1 reply; 17+ messages in thread From: Andrew Langdon-Davies @ 2003-07-15 16:38 UTC (permalink / raw) To: linux-newbie >>> It sounds to me like you've been rooted, and somebody installed >>> a trojan. I'd do a full hunt for signs of a rootkit. When in >>> doubt (especially if there are ony a few people on your system), >>> I'd just load a new OS and migrate the user data over to it. > > I don't want to sound like Pollyanna, but interpreting your initial > trouble report as evidence of a breakin seems to me like an enormous > leap. >> I thought reinstalling shadow had put everything right, but there are >> still hiccups. For example, although I can now su again --that is, it >> now recognises the password-- if I give the wrong password I still get >> just 'sorry'. > > I presume you mean "Sorry." I do indeed. > Do you recall if you used to get a response more like the one Richard and > I posted here? I can't remember. In a similar situation Slackware 7.1 does give a longer response. >> Lilo failed to load again and I have had to reinstall it. > > Without details of your setup, this one is impossible to diagnose. But > why would a rootkit mess with the bootloader? I'll leave that one till I've had a chance to try it again. > >> And I get a very strange message in my user .xsession-errors file. It >> says: >> 'stderr is not a tty - where are you?' > > Context, please. Is that the full line? How do you normally run X? What > userid? This one bugs me a bit. That's the complete message. It turns up twice (repeated) in the .xsession-errors file in my home directory. X is started by xdm from rc.4. It starts with a login screen and I log in as normal user. I use the Window Maker window manager. > >> GRC reports most ports as stealthed and 113 IDENT and 5000 UPnP as >> closed. > > Does it report ANY ports as open? No What does "netstat -ln" report? Nothing that looks suspicious to me, but I'll study the manual first of all. One more thing: as normal user I also found I couldn't mount floppies or cds (in spite of the 'user' option in fstab) Reinstalling the util-linux packet has put that right. I think I put one very large foot in the works, nothing more sinister. No-one else has physical access to the system Thanks for your help, Andrew - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails 2003-07-15 16:38 ` Andrew Langdon-Davies @ 2003-07-15 17:06 ` Alan Bort 2003-07-15 17:26 ` Mr. James W. Laferriere ` (2 more replies) 0 siblings, 3 replies; 17+ messages in thread From: Alan Bort @ 2003-07-15 17:06 UTC (permalink / raw) To: Linux Newbie Well... I think bash actually has a builtin su... so if you reinstall bash (not a very big package anyway)... it might help. since you've already installed shadow again... Anyway... I agee with the (quote)'I'd just load a new OS and migrate the user data over to it.'(/quote) idea... El mar, 15-07-2003 a las 12:38, Andrew Langdon-Davies escribió: > >>> It sounds to me like you've been rooted, and somebody installed > >>> a trojan. I'd do a full hunt for signs of a rootkit. When in > >>> doubt (especially if there are ony a few people on your system), > >>> I'd just load a new OS and migrate the user data over to it. > > > > I don't want to sound like Pollyanna, but interpreting your initial > > trouble report as evidence of a breakin seems to me like an enormous > > leap. > >> I thought reinstalling shadow had put everything right, but there are > >> still hiccups. For example, although I can now su again --that is, it > >> now recognises the password-- if I give the wrong password I still get > >> just 'sorry'. > > > > I presume you mean "Sorry." > > I do indeed. > > > Do you recall if you used to get a response more like the one Richard and > > I posted here? > > I can't remember. In a similar situation Slackware 7.1 does give a longer > response. > > >> Lilo failed to load again and I have had to reinstall it. > > > > Without details of your setup, this one is impossible to diagnose. But > > why would a rootkit mess with the bootloader? > > I'll leave that one till I've had a chance to try it again. > > > >> And I get a very strange message in my user .xsession-errors file. It > >> says: > >> 'stderr is not a tty - where are you?' > > > > Context, please. Is that the full line? How do you normally run X? What > > userid? > This one bugs me a bit. That's the complete message. It turns up twice > (repeated) in the .xsession-errors file in my home directory. X is started > by xdm from rc.4. It starts with a login screen and I log in as normal > user. I use the Window Maker window manager. > > > > >> GRC reports most ports as stealthed and 113 IDENT and 5000 UPnP as > >> closed. > > > > Does it report ANY ports as open? > No > > What does "netstat -ln" report? > Nothing that looks suspicious to me, but I'll study the manual first of > all. > One more thing: as normal user I also found I couldn't mount floppies or > cds (in spite of the 'user' option in fstab) Reinstalling the util-linux > packet has put that right. I think I put one very large foot in the works, > nothing more sinister. No-one else has physical access to the system > Thanks for your help, > Andrew > - > To unsubscribe from this list: send the line "unsubscribe linux-newbie" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.linux-learn.org/faqs -- Alan Bort Linux Registered User 298277 -Country Manager- [http://counter.li.org] [ http://www.linuxquestions.org ] Username: Ciccio [ http://es.tldp.org ] Ciccio.- - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails 2003-07-15 17:06 ` Alan Bort @ 2003-07-15 17:26 ` Mr. James W. Laferriere 2003-07-15 18:20 ` Andrew Langdon-Davies 2003-07-15 17:29 ` Ray Olszewski 2003-07-17 1:11 ` Stephen Samuel 2 siblings, 1 reply; 17+ messages in thread From: Mr. James W. Laferriere @ 2003-07-15 17:26 UTC (permalink / raw) To: Alan Bort; +Cc: Linux Newbie Hello Alan , On Tue, 15 Jul 2003, Alan Bort wrote: > Well... I think bash actually has a builtin su... so if you reinstall Fyi , bash (as of 2.05b.0(1)-release) does not have a builtin of "su" . try typing 'help' at the bash shell prompt for one . Then just do either (or both) "man bash" or "info bash" . > bash (not a very big package anyway)... it might help. since you've > already installed shadow again... > > Anyway... I agee with the (quote)'I'd just load a new OS and migrate the > user data over to it.'(/quote) idea... Now here I'd probably agree IF there is even the slightest doubt that the system may have been compromised , Clear it & start fresh . Be extremely careful of re-applying the user(s) data . Hth , JimL ...snip... -- +------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network Engineer | P.O. Box 854 | Give me Linux | | babydr@baby-dragons.com | Coudersport PA 16915 | only on AXP | +------------------------------------------------------------------+ - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails 2003-07-15 17:26 ` Mr. James W. Laferriere @ 2003-07-15 18:20 ` Andrew Langdon-Davies 2003-07-15 19:37 ` Ray Olszewski 0 siblings, 1 reply; 17+ messages in thread From: Andrew Langdon-Davies @ 2003-07-15 18:20 UTC (permalink / raw) To: linux-newbie > Now here I'd probably agree IF there is even the slightest doubt > that the system may have been compromised , Clear it & start > fresh . Be extremely careful of re-applying the user(s) data . > Hth , JimL > ...snip... I know this is a very wide-open question, but how likely really is it that my system has been compromised? I use a coyote firewall on a dedicated 486 with a dial-up ppp connection. I connect a few hours every day and I actually switch off the modem at night. There are two machines behind the coyote and only one is giving signs of anything odd (the one I was messing about on the other day just before the problems started). By the way, Lilo is behaving perfectly again. But what about the 'stderr is not a tty - where are you?' ??? TY Andrew -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails 2003-07-15 18:20 ` Andrew Langdon-Davies @ 2003-07-15 19:37 ` Ray Olszewski [not found] ` <oprseazgwzhmmv6x@smtp.arrakis.es> 0 siblings, 1 reply; 17+ messages in thread From: Ray Olszewski @ 2003-07-15 19:37 UTC (permalink / raw) To: linux-newbie At 08:20 PM 7/15/2003 +0200, Andrew Langdon-Davies wrote: >> Now here I'd probably agree IF there is even the slightest doubt >> that the system may have been compromised , Clear it & start >> fresh . Be extremely careful of re-applying the user(s) data . >> Hth , JimL >>...snip... >I know this is a very wide-open question, but how likely really is it that >my system has been compromised? I use a coyote firewall on a dedicated 486 >with a dial-up ppp connection. I connect a few hours every day and I >actually switch off the modem at night. There are two machines behind the >coyote and only one is giving signs of anything odd (the one I was messing >about on the other day just before the problems started). You are right to ask this question. "Reinstall the OS" is easy to say, but time-consuming to do. Especially if the system is at all customized (and what system isn't?). Assuming the machines are physically secure (so we can rule out a *local* compromise ... you don't say if, for example, you have a teen-ager in the house), the likelihood of a compromise in this setting is extremely low. Your IP address probably changes every time you connect. Unless you are forwarding ports from the router to the Slackware host, no off-site machine an initiate a connection to that host, even if something on the Slackware host is listening (the NAT prevents it). Unaddresed possibilities do include: 1. That you somehow were tricked into downloading and installing a trojan app on the Slackware host. This is unlikely if you've stuck to "official" Slackware update sites, and not even all that likely if you've downloaded the sourcve of well-known apps from their sites and installed them. But if you installed anything obscure, consider it carefully. 2. You don't say what the other system is, so I'll assume the worst, that it runs Windows. Here, the potential for compromise is greater ... more trojans target Windows, and active-content capabilities in the core apps are an easy vector for contamination, and P2P and IM applications are good at making hols in firewalls. So there too, consider what has been downloaded. (Once any machine on the LAN is compromised, you have to allow for the possibility that it provided a path to compromise other machines.) 3. The Coyote firewall/router may have been compromised. I haven't looked at Coyote for years, so I don't know if it is keeping up with security patches. How risky this is depends on what the firewall/router runs, but risk candidates include kernel-level problems, BIND problems, ssh problems ... that's what I can think of offhand. None of us has the information needed to assess these risks. You do. >By the way, Lilo is behaving perfectly again. >But what about the >'stderr is not a tty - where are you?' I tried a few things here and could not get that message to turn up. But my Debian systems are different in detail from your Slackware system, so that's not definitive. Normally, whan you start X from a console (using startx, most often), both STDOUT and STDERR are mapped to that console. With xdm, there is no console to map them to, so an xdm start **might** generate that sort of message (does your xdm have a small window, probably in the lower right, that logs info? if not, this guess gets more convincing). Or they might be an old leftover of some time when that userid tried to start X in some way that did not work. But the really odd thing is that there is no reason why STDERR *should* be a tty; it is common to redirect STDERR to a file (in fact, it is a common practice when debugging X problems). So the message is, in a way, objecting to a commonplace practice. In the absence of something else suggestive (and the other symptoms you've discussed here do not count), I would disregard this one. - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 17+ messages in thread
[parent not found: <oprseazgwzhmmv6x@smtp.arrakis.es>]
* Re: su fails [not found] ` <oprseazgwzhmmv6x@smtp.arrakis.es> @ 2003-07-16 8:55 ` Andrew Langdon-Davies 0 siblings, 0 replies; 17+ messages in thread From: Andrew Langdon-Davies @ 2003-07-16 8:55 UTC (permalink / raw) To: linux-newbie >> >> Unaddresed possibilities do include: >> >> 1. That you somehow were tricked into downloading and installing a >> trojan app on the Slackware host. This is unlikely if you've stuck to >> "official" Slackware update sites, and not even all that likely if >> you've downloaded the sourcve of well-known apps from their sites and >> installed them. But if you installed anything obscure, consider it >> carefully. > I'll check that out. >> >> 2. You don't say what the other system is, so I'll assume the worst, >> that it runs Windows. > Mandrake 9.0. There's a WinXP installation on it but I haven't run it for > months. >> >> 3. The Coyote firewall/router may have been compromised. I haven't >> looked at Coyote for years, so I don't know if it is keeping up with >> security patches. How risky this is depends on what the firewall/router >> runs, but risk candidates include kernel-level problems, BIND problems, >> ssh problems ... that's what I can think of offhand. > I'll check that out too. >> >>> 'stderr is not a tty - where are you?' >> >> With xdm, there is no console to map them to, so an xdm start **might** >> generate that sort of message (does your xdm have a small window, >> probably in the lower right, that logs info? > No > if not, this guess gets more >> convincing). Or they might be an old leftover of some time when that >> userid tried to start X in some way that did not work. But the really >> odd thing is that there is no reason why STDERR *should* be a tty; it is >> common to redirect STDERR to a file (in fact, it is a common practice >> when debugging X problems). So the message is, in a way, objecting to a >> commonplace practice. > More info: > cat lastlog: > ~?tty30?pts/1(fqdn Mandrake9.0 machine)sh-2.05b$ > The file is 292292 bytes. This message could have something to do with a > tunnel I was trying at a time when the Slackware host was running a > different (Suse) installation. Right? > cat faillog: > pts/0ü > ?tty5 > 1/4? > (The 1/4 actually appears in small script without the slash). The file is > 24024 bytes. > Translation anyone? > TIA, > Andrew > -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails 2003-07-15 17:06 ` Alan Bort 2003-07-15 17:26 ` Mr. James W. Laferriere @ 2003-07-15 17:29 ` Ray Olszewski 2003-07-17 1:11 ` Stephen Samuel 2 siblings, 0 replies; 17+ messages in thread From: Ray Olszewski @ 2003-07-15 17:29 UTC (permalink / raw) To: linux-newbie At 01:06 PM 7/15/2003 -0400, Alan Bort wrote: >Well... I think bash actually has a builtin su... so if you reinstall >bash (not a very big package anyway)... it might help. since you've >already installed shadow again... On what basis do you think this to be true? I've never heard of such a capability in bash, and implementing it would (at least on today's systems, ones with passwords in /etc/shadow) introduce some security problems that a standalone su can minimize, if not eliminate. Just to double check, I searched an online version of the bash man page for the string "su". It never appears, except as part of words like "subshell" and "substitute". I hesitate actually to say that you are wrong, Alan, because it is always possible that I missed something. But I do think it worth asking how well-based your belief is. - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails 2003-07-15 17:06 ` Alan Bort 2003-07-15 17:26 ` Mr. James W. Laferriere 2003-07-15 17:29 ` Ray Olszewski @ 2003-07-17 1:11 ` Stephen Samuel 2003-07-17 10:55 ` Andrew Langdon-Davies 2 siblings, 1 reply; 17+ messages in thread From: Stephen Samuel @ 2003-07-17 1:11 UTC (permalink / raw) To: 333101, linux-newbie I haven't had the timer for a full report, but, althought I'm not CLEAR that his box has been rooted, things like minor changes to su, and other wierd things failing are signs of a rootkit (yes, a clumsy one) being installed. Having su suddenly start to give different messages is a sign that SOMEBODY has changed SOMETHING. If you can't show that you changed it, then you have to presume that somebody else has. At the very least, I think he should run something like chkrootkit to see if any well-known root kit is being used. Alan Bort wrote: > Well... I think bash actually has a builtin su... so if you reinstall > bash (not a very big package anyway)... it might help. since you've > already installed shadow again... > > Anyway... I agee with the (quote)'I'd just load a new OS and migrate the > user data over to it.'(/quote) idea... > > El mar, 15-07-2003 a las 12:38, Andrew Langdon-Davies escribió: > >>>>>It sounds to me like you've been rooted, and somebody installed >>>>>a trojan. I'd do a full hunt for signs of a rootkit. When in >>>>>doubt (especially if there are ony a few people on your system), >>>>>I'd just load a new OS and migrate the user data over to it. >>> >>>I don't want to sound like Pollyanna, but interpreting your initial >>>trouble report as evidence of a breakin seems to me like an enormous >>>leap. >>> >>>>I thought reinstalling shadow had put everything right, but there are >>>>still hiccups. For example, although I can now su again --that is, it >>>>now recognises the password-- if I give the wrong password I still get >>>>just 'sorry'. -- Stephen Samuel +1(604)876-0426 samuel@bcgreen.com http://www.bcgreen.com/~samuel/ Powerful committed communication. Transformation touching the jewel within each person and bring it to life. - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails 2003-07-17 1:11 ` Stephen Samuel @ 2003-07-17 10:55 ` Andrew Langdon-Davies 0 siblings, 0 replies; 17+ messages in thread From: Andrew Langdon-Davies @ 2003-07-17 10:55 UTC (permalink / raw) To: linux-newbie On Wed, 16 Jul 2003 18:11:10 -0700, Stephen Samuel <samuel@bcgreen.com> wrote: > I haven't had the timer for a full report, but, althought I'm not > CLEAR that his box has been rooted, things like minor changes to > su, and other wierd things failing are signs of a rootkit (yes, > a clumsy one) being installed. Having su suddenly start to > give different messages is a sign that SOMEBODY has changed > SOMETHING. It's not actually certain it has. > At the very least, I think he should run something like chkrootkit to see > if any well-known root kit is being used. I've taken your advice here and the only possible anomaly it comes up with is "Warning: '//root/.sc_history' file size is zero". All the rest is "nothing found", "not infected", "nothing detected", "not found", and "nothing deleted". Search for uspicious files and directories turns up 2 .packlist files, which I gather is fairly normal. One is identical to the one on the installation CD and the other corresponds with the Foo-matic packet I installed. Now can I relax and have a beer? Thanks, Andrew - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
@ 2003-07-15 18:08 beolach
0 siblings, 0 replies; 17+ messages in thread
From: beolach @ 2003-07-15 18:08 UTC (permalink / raw)
To: linux-newbie
--- Ray Olszewski <ray@comarre.com> wrote:
>>
>>I thought reinstalling shadow had put everything right, but there are
>>still hiccups. For example, although I can now su again --that is, it
>>now
>>recognises the password-- if I give the wrong password I still get
>>just 'sorry'.
>
>I presume you mean "Sorry." This is not a quibble; it is an example of >the
>kind of thing (a capitalization difference, and a missing period) you >look
>for to spot a (clumsy) trojan. But whether your result matches what >Richard
>and I expect matters less than whether it has changed from what it used >to
>do (or, if you don't remember, what a similar Slackware system normally
>does). Linux systems do vary in their details, and I don't run >Slackware
>here, so expecting my responses to match yours *exactly* is too much to >ask
>... certainly not a justification for reinstalling the OS.
I am currently usung Slackware 9.0, and on my (I'm pretty sure)
uncomprommised system a su failure only outputs "Sorry." So I think
that this is normal for Slackware.
My brother is having a vaguely similar problem to this, but he is
unable to sign in as any non-root user, either through normal login,
su, or anything else. I don't remember all of the details, and he
refuses to stop playing games (under M$ Windows :( ), so I can't really
ask for much help. Once I can get the details from him, I'll start a
new thread.
Thank's in advance,
Conway S. Smith
________________________________________________________________
The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2003-07-17 10:55 UTC | newest] Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2003-07-14 11:04 su fails Andrew Langdon-Davies 2003-07-14 15:15 ` Ray Olszewski [not found] ` <oprsa696n7hmmv6x@smtp.arrakis.es> 2003-07-14 17:52 ` Andrew Langdon-Davies 2003-07-14 18:23 ` pa3gcu 2003-07-14 18:48 ` Andrew Langdon-Davies [not found] ` <3F133105.7010309@bcgreen.com> 2003-07-15 10:20 ` Andrew Langdon-Davies 2003-07-15 15:13 ` Ray Olszewski 2003-07-15 16:38 ` Andrew Langdon-Davies 2003-07-15 17:06 ` Alan Bort 2003-07-15 17:26 ` Mr. James W. Laferriere 2003-07-15 18:20 ` Andrew Langdon-Davies 2003-07-15 19:37 ` Ray Olszewski [not found] ` <oprseazgwzhmmv6x@smtp.arrakis.es> 2003-07-16 8:55 ` Andrew Langdon-Davies 2003-07-15 17:29 ` Ray Olszewski 2003-07-17 1:11 ` Stephen Samuel 2003-07-17 10:55 ` Andrew Langdon-Davies 2003-07-15 18:08 beolach
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.