* su fails
@ 2003-07-14 11:04 Andrew Langdon-Davies
2003-07-14 15:15 ` Ray Olszewski
0 siblings, 1 reply; 17+ messages in thread
From: Andrew Langdon-Davies @ 2003-07-14 11:04 UTC (permalink / raw)
To: linux-newbie
As of a few days ago, when I do 'su' and enter the password at the prompt I
get turned down with the reply 'Sorry'. I can login normally as either root
or normal user. I have tried changing passwords but it makes no difference.
It happens in text mode and with X running. This is Slackware 9.0 with
windowmaker.
Is it possible something got messed up when I tried (unsuccesfully) to
install Alsa the other day? I compiled, installed and removed several
packets, including an rpm packet of modules using the nodeps option.
Another thing that stopped working at about the same time was Lilo, which
was on the root partition and now will only work from anywhere but there.
From the root partition now I get the Lilo/Windows menu followed by a blank
screen if I select Lilo. Windows works OK. I have no problems if I install
Lilo on the MBR or a floppy.
So far, everything else seems to be working all right.
Sorry if this sounds a bit vague but I'm rather mystified myself.
TIA
Andrew
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
2003-07-14 11:04 su fails Andrew Langdon-Davies
@ 2003-07-14 15:15 ` Ray Olszewski
[not found] ` <oprsa696n7hmmv6x@smtp.arrakis.es>
0 siblings, 1 reply; 17+ messages in thread
From: Ray Olszewski @ 2003-07-14 15:15 UTC (permalink / raw)
To: linux-newbie
At 01:04 PM 7/14/2003 +0200, Andrew Langdon-Davies wrote:
>As of a few days ago, when I do 'su' and enter the password at the prompt
>I get turned down with the reply 'Sorry'.
Does it say *only* "Sorry" or actually something like this (note the extra
line):
autovcr@kuryakin:~$ su
Password:
su: Authentication failure
Sorry.
autovcr@kuryakin:~$
> I can login normally as either root or normal user. I have tried
> changing passwords but it makes no difference. It happens in text mode
> and with X running. This is Slackware 9.0 with windowmaker.
In my experience, a problem like this one (occurring in isolation) usually
means a PAM problem. I don't know how Slackware has PAM set up, but Debian
does it with a directory called /etc/pam.d . Look there (or somewhere
equivalent on Slackware) for an entry for "su" that tells PAM how to handle
password requests from the su program. See if it got messed up somehow.
>Is it possible something got messed up when I tried (unsuccesfully) to
>install Alsa the other day? I compiled, installed and removed several
>packets, including an rpm packet of modules using the nodeps option.
Possible? Of course, though offhand I cannot see why ALSA would have any
effect on encryption issues. So I'd guess not *likely* ... though I'd feel
more confident about that guess if I knew what the "several packets" were,
and especially what the anonymous "rpm packet of modules using the nodeps
option" actually was.
>Another thing that stopped working at about the same time was Lilo, which
>was on the root partition and now will only work from anywhere but there.
> From the root partition now I get the Lilo/Windows menu followed by a
> blank screen if I select Lilo. Windows works OK. I have no problems if I
> install Lilo on the MBR or a floppy.
Do you mean lilo the Linux application (used to install and configure the
bootloader) or lilo the bootloader ityself (usually installed in the MBR of
hda)?
If we are talking about the bootloader failing ... did you run the (Linux)
"lilo" command anywhere along the way as part of your setup change? Or did
you do any BIOS fiddling? Or did you make any changes to your kernel (since
you mention ALSA, this seems at least plausible) then *not* run the (Linux)
lilo command to update the bootloader? Is the information in /etc/lilo.conf
accurate?
If we are talking about the application failing ... please describe what
you do in more detail.
>So far, everything else seems to be working all right.
>Sorry if this sounds a bit vague but I'm rather mystified myself.
I'm afraid it does seem vague. I hope my questions at least serve to
clarify the problem description, even if they do not directly lead you to a
solution.
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
[not found] ` <oprsa696n7hmmv6x@smtp.arrakis.es>
@ 2003-07-14 17:52 ` Andrew Langdon-Davies
2003-07-14 18:23 ` pa3gcu
0 siblings, 1 reply; 17+ messages in thread
From: Andrew Langdon-Davies @ 2003-07-14 17:52 UTC (permalink / raw)
To: linux-newbie
------- Forwarded message -------
Oops, Sorry
> On Mon, 14 Jul 2003 08:15:00 -0700, Ray Olszewski <ray@comarre.com>
> wrote:
>
>> At 01:04 PM 7/14/2003 +0200, Andrew Langdon-Davies wrote:
>>
>>> As of a few days ago, when I do 'su' and enter the password at the
>>> prompt I get turned down with the reply 'Sorry'.
>>
>> Does it say *only* "Sorry" or actually something like this (note the
>> extra line):
>>
>> autovcr@kuryakin:~$ su
>> Password:
>> su: Authentication failure
>> Sorry.
>> autovcr@kuryakin:~$
>
> It says only "Sorry"
>
>> In my experience, a problem like this one (occurring in isolation)
>> usually means a PAM problem.
>
> OK. Can't see anything like it. But I've reinstalled the shadow packet
> and that has corrected the problem. Actually, I'd already tried that but
> I think the other time I didn't uninstall the old one first.
>
> The lilo bit is not actually a problem as it is working fine from the
> MBR. But just for the record, it was originally installed on the linux
> root partition, /dev/hda2. When the su problem turned up, one thing I did
> was reboot (that shows I'm an ex-Windows user!). At the red box with the
> menu I chose Linux and the monitor went blank and then powered down. It
> did the same every time. I booted with a rescue disk, ran fsck, checked
> fstab and lilo.conf, ran lilo, reconfigured with liloconfig, tried
> rebooting again after each change, first running lilo each time, to no
> avail. Then I tried installing lilo on a floppy, which worked, so then I
> installed it on the MBR. As that works fine I'm leaving it alone for now.
> It would be nice to know what happened, though.
> Thanks anyway,
> Andrew
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
2003-07-14 17:52 ` Andrew Langdon-Davies
@ 2003-07-14 18:23 ` pa3gcu
2003-07-14 18:48 ` Andrew Langdon-Davies
0 siblings, 1 reply; 17+ messages in thread
From: pa3gcu @ 2003-07-14 18:23 UTC (permalink / raw)
To: Andrew Langdon-Davies, linux-newbie
On Monday 14 July 2003 19:52, Andrew Langdon-Davies wrote:
> >> su: Authentication failure
> >> Sorry.
> >> autovcr@kuryakin:~$
> >
> > It says only "Sorry"
> >
NO it does not, it says, "Authentication failure" and then sorry.
I have encoured a simalar problem years ago, my problem was caused by a disk
that was 100% full.
It may seem strange but AFAI see it, if the disk is full syslog(d) cannot
write to /var/log/syslog and rejects connections, at least that is what i
belive happend to me.
--
If the Linux community is a bunch of theives because they
try to imitate windows programs, then the Windows community
is built on organized crime.
Regards Richard
pa3gcu@zeelandnet.nl
http://people.zeelandnet.nl/pa3gcu/
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
2003-07-14 18:23 ` pa3gcu
@ 2003-07-14 18:48 ` Andrew Langdon-Davies
[not found] ` <3F133105.7010309@bcgreen.com>
0 siblings, 1 reply; 17+ messages in thread
From: Andrew Langdon-Davies @ 2003-07-14 18:48 UTC (permalink / raw)
To: linux-newbie
>> >
>> > It says only "Sorry"
>> >
>
> NO it does not, it says, "Authentication failure" and then sorry.
>
I can assure you, sir, in spite of your block capitals, that it said just
"Sorry". Which also surprised me, I may say, and attracted Mr Oswelski's
attention too. I thought at the time it was a touch curt by Linux
standards. But, as I say, I reinstalled shadow and it is now back to
normal. So let us let bygones be bygones as I have no intention of
reproducing the error to prove what I say.
Thanks for taking the trouble to write.
Andrew
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
[not found] ` <3F133105.7010309@bcgreen.com>
@ 2003-07-15 10:20 ` Andrew Langdon-Davies
2003-07-15 15:13 ` Ray Olszewski
0 siblings, 1 reply; 17+ messages in thread
From: Andrew Langdon-Davies @ 2003-07-15 10:20 UTC (permalink / raw)
To: linux-newbie
On Mon, 14 Jul 2003 15:39:01 -0700, Stephen Samuel <samuel@bcgreen.com>
wrote:
> It sounds to me like you've been rooted, and somebody installed
> a trojan. I'd do a full hunt for signs of a rootkit. When in
> doubt (especially if there are ony a few people on your system),
> I'd just load a new OS and migrate the user data over to it.
Now you've got me worried. What would signs of a rootkit be? I thought
reinstalling shadow had put everything right, but there are still hiccups.
For example, although I can now su again --that is, it now recognises the
password-- if I give the wrong password I still get just 'sorry'. Lilo
failed to load again and I have had to reinstall it. And I get a very
strange message in my user .xsession-errors file. It says:
'stderr is not a tty - where are you?'
Do I assume the worst?
For what it's worth, GRC reports most ports as stealthed and 113 IDENT and
5000 UPnP as closed.
TIA,
Andrew
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
2003-07-15 10:20 ` Andrew Langdon-Davies
@ 2003-07-15 15:13 ` Ray Olszewski
2003-07-15 16:38 ` Andrew Langdon-Davies
0 siblings, 1 reply; 17+ messages in thread
From: Ray Olszewski @ 2003-07-15 15:13 UTC (permalink / raw)
To: linux-newbie
At 12:20 PM 7/15/2003 +0200, Andrew Langdon-Davies wrote:
>On Mon, 14 Jul 2003 15:39:01 -0700, Stephen Samuel <samuel@bcgreen.com> wrote:
>
>>It sounds to me like you've been rooted, and somebody installed
>>a trojan. I'd do a full hunt for signs of a rootkit. When in
>>doubt (especially if there are ony a few people on your system),
>>I'd just load a new OS and migrate the user data over to it.
>
>
>Now you've got me worried.
I don't want to sound like Pollyanna, but interpreting your initial trouble
report as evidence of a breakin seems to me like an enormous leap. I didn't
see Stephen's full reply (was it sent to the list? I can't find it here),
but I would encourage him to explain *why* he interprets the report as an
indication that "you've been rooted, and somebody installed a trojan".
Especially when your initial report indicated that you had installed an
unspecified number of unnamed packages (including one that require you to
use a forcing parameter to install) recently.
>What would signs of a rootkit be?
Tough question. Rootkits are designed to hide themselves, so a well-written
one would leave no signs. There was a good set of articles on intrustion
detection about a year ago in Dr. Dobbs Journal, but they are probably not
frely available online anywhere. Generally, you need to examine your system
for instances of anomalous behavior, pretty much what you are already doing.
I would not associate *failure* of the "su" program with use of a rootkit
... at least not a *good* rootkit. It isn't being very stealthy, after all.
Nor does it deny you root access to the system.
>I thought reinstalling shadow had put everything right, but there are
>still hiccups. For example, although I can now su again --that is, it now
>recognises the password-- if I give the wrong password I still get just
>'sorry'.
I presume you mean "Sorry." This is not a quibble; it is an example of the
kind of thing (a capitalization difference, and a missing period) you look
for to spot a (clumsy) trojan. But whether your result matches what Richard
and I expect matters less than whether it has changed from what it used to
do (or, if you don't remember, what a similar Slackware system normally
does). Linux systems do vary in their details, and I don't run Slackware
here, so expecting my responses to match yours *exactly* is too much to ask
... certainly not a justification for reinstalling the OS.
Do you recall if you used to get a response more like the one Richard and I
posted here? If you did, and now it is different, this change means either
you inadvertantly changed something, or someone else deliberately changed
something.
>Lilo failed to load again and I have had to reinstall it.
Without details of your setup, this one is impossible to diagnose. But why
would a rootkit mess with the bootloader?
>And I get a very strange message in my user .xsession-errors file. It says:
>'stderr is not a tty - where are you?'
Context, please. Is that the full line? How do you normally run X? What userid?
>Do I assume the worst?
>For what it's worth, GRC reports most ports as stealthed and 113 IDENT and
>5000 UPnP as closed.
Does it report ANY ports as open? What does "netstat -ln" report?
What sort of Internet connection do you have? Do other users have physical
access to the system, or remote access to shell accounts? What services do
you normally run? Are you keeping up to date on security patches for
Slackware? Do your logs show anything unusual? Are there any implausible
logins (reported by "last")? Do you run an iptables-based (or ipchains-)
firewall on the system (or does the system run behind a NAT'ing firewall)?
What kernel, and it is patched for the recent rash of kernel-level security
problems I saw reported (on the debian-security list)?
You need not post the answers to these questions. (Though feel free to do
so if you like.) I offer them as the kinds fo questions one asks when
evaluating the likelihood of a breakin.
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
2003-07-15 15:13 ` Ray Olszewski
@ 2003-07-15 16:38 ` Andrew Langdon-Davies
2003-07-15 17:06 ` Alan Bort
0 siblings, 1 reply; 17+ messages in thread
From: Andrew Langdon-Davies @ 2003-07-15 16:38 UTC (permalink / raw)
To: linux-newbie
>>> It sounds to me like you've been rooted, and somebody installed
>>> a trojan. I'd do a full hunt for signs of a rootkit. When in
>>> doubt (especially if there are ony a few people on your system),
>>> I'd just load a new OS and migrate the user data over to it.
>
> I don't want to sound like Pollyanna, but interpreting your initial
> trouble report as evidence of a breakin seems to me like an enormous
> leap.
>> I thought reinstalling shadow had put everything right, but there are
>> still hiccups. For example, although I can now su again --that is, it
>> now recognises the password-- if I give the wrong password I still get
>> just 'sorry'.
>
> I presume you mean "Sorry."
I do indeed.
> Do you recall if you used to get a response more like the one Richard and
> I posted here?
I can't remember. In a similar situation Slackware 7.1 does give a longer
response.
>> Lilo failed to load again and I have had to reinstall it.
>
> Without details of your setup, this one is impossible to diagnose. But
> why would a rootkit mess with the bootloader?
I'll leave that one till I've had a chance to try it again.
>
>> And I get a very strange message in my user .xsession-errors file. It
>> says:
>> 'stderr is not a tty - where are you?'
>
> Context, please. Is that the full line? How do you normally run X? What
> userid?
This one bugs me a bit. That's the complete message. It turns up twice
(repeated) in the .xsession-errors file in my home directory. X is started
by xdm from rc.4. It starts with a login screen and I log in as normal
user. I use the Window Maker window manager.
>
>> GRC reports most ports as stealthed and 113 IDENT and 5000 UPnP as
>> closed.
>
> Does it report ANY ports as open?
No
What does "netstat -ln" report?
Nothing that looks suspicious to me, but I'll study the manual first of
all.
One more thing: as normal user I also found I couldn't mount floppies or
cds (in spite of the 'user' option in fstab) Reinstalling the util-linux
packet has put that right. I think I put one very large foot in the works,
nothing more sinister. No-one else has physical access to the system
Thanks for your help,
Andrew
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
2003-07-15 16:38 ` Andrew Langdon-Davies
@ 2003-07-15 17:06 ` Alan Bort
2003-07-15 17:26 ` Mr. James W. Laferriere
` (2 more replies)
0 siblings, 3 replies; 17+ messages in thread
From: Alan Bort @ 2003-07-15 17:06 UTC (permalink / raw)
To: Linux Newbie
Well... I think bash actually has a builtin su... so if you reinstall
bash (not a very big package anyway)... it might help. since you've
already installed shadow again...
Anyway... I agee with the (quote)'I'd just load a new OS and migrate the
user data over to it.'(/quote) idea...
El mar, 15-07-2003 a las 12:38, Andrew Langdon-Davies escribió:
> >>> It sounds to me like you've been rooted, and somebody installed
> >>> a trojan. I'd do a full hunt for signs of a rootkit. When in
> >>> doubt (especially if there are ony a few people on your system),
> >>> I'd just load a new OS and migrate the user data over to it.
> >
> > I don't want to sound like Pollyanna, but interpreting your initial
> > trouble report as evidence of a breakin seems to me like an enormous
> > leap.
> >> I thought reinstalling shadow had put everything right, but there are
> >> still hiccups. For example, although I can now su again --that is, it
> >> now recognises the password-- if I give the wrong password I still get
> >> just 'sorry'.
> >
> > I presume you mean "Sorry."
>
> I do indeed.
>
> > Do you recall if you used to get a response more like the one Richard and
> > I posted here?
>
> I can't remember. In a similar situation Slackware 7.1 does give a longer
> response.
>
> >> Lilo failed to load again and I have had to reinstall it.
> >
> > Without details of your setup, this one is impossible to diagnose. But
> > why would a rootkit mess with the bootloader?
>
> I'll leave that one till I've had a chance to try it again.
> >
> >> And I get a very strange message in my user .xsession-errors file. It
> >> says:
> >> 'stderr is not a tty - where are you?'
> >
> > Context, please. Is that the full line? How do you normally run X? What
> > userid?
> This one bugs me a bit. That's the complete message. It turns up twice
> (repeated) in the .xsession-errors file in my home directory. X is started
> by xdm from rc.4. It starts with a login screen and I log in as normal
> user. I use the Window Maker window manager.
>
> >
> >> GRC reports most ports as stealthed and 113 IDENT and 5000 UPnP as
> >> closed.
> >
> > Does it report ANY ports as open?
> No
>
> What does "netstat -ln" report?
> Nothing that looks suspicious to me, but I'll study the manual first of
> all.
> One more thing: as normal user I also found I couldn't mount floppies or
> cds (in spite of the 'user' option in fstab) Reinstalling the util-linux
> packet has put that right. I think I put one very large foot in the works,
> nothing more sinister. No-one else has physical access to the system
> Thanks for your help,
> Andrew
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
--
Alan Bort
Linux Registered User 298277 -Country Manager- [http://counter.li.org]
[ http://www.linuxquestions.org ] Username: Ciccio
[ http://es.tldp.org ]
Ciccio.-
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
2003-07-15 17:06 ` Alan Bort
@ 2003-07-15 17:26 ` Mr. James W. Laferriere
2003-07-15 18:20 ` Andrew Langdon-Davies
2003-07-15 17:29 ` Ray Olszewski
2003-07-17 1:11 ` Stephen Samuel
2 siblings, 1 reply; 17+ messages in thread
From: Mr. James W. Laferriere @ 2003-07-15 17:26 UTC (permalink / raw)
To: Alan Bort; +Cc: Linux Newbie
Hello Alan ,
On Tue, 15 Jul 2003, Alan Bort wrote:
> Well... I think bash actually has a builtin su... so if you reinstall
Fyi , bash (as of 2.05b.0(1)-release) does not have a builtin
of "su" . try typing 'help' at the bash shell prompt for one .
Then just do either (or both) "man bash" or "info bash" .
> bash (not a very big package anyway)... it might help. since you've
> already installed shadow again...
>
> Anyway... I agee with the (quote)'I'd just load a new OS and migrate the
> user data over to it.'(/quote) idea...
Now here I'd probably agree IF there is even the slightest doubt
that the system may have been compromised , Clear it & start
fresh . Be extremely careful of re-applying the user(s) data .
Hth , JimL
...snip...
--
+------------------------------------------------------------------+
| James W. Laferriere | System Techniques | Give me VMS |
| Network Engineer | P.O. Box 854 | Give me Linux |
| babydr@baby-dragons.com | Coudersport PA 16915 | only on AXP |
+------------------------------------------------------------------+
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
2003-07-15 17:06 ` Alan Bort
2003-07-15 17:26 ` Mr. James W. Laferriere
@ 2003-07-15 17:29 ` Ray Olszewski
2003-07-17 1:11 ` Stephen Samuel
2 siblings, 0 replies; 17+ messages in thread
From: Ray Olszewski @ 2003-07-15 17:29 UTC (permalink / raw)
To: linux-newbie
At 01:06 PM 7/15/2003 -0400, Alan Bort wrote:
>Well... I think bash actually has a builtin su... so if you reinstall
>bash (not a very big package anyway)... it might help. since you've
>already installed shadow again...
On what basis do you think this to be true?
I've never heard of such a capability in bash, and implementing it would
(at least on today's systems, ones with passwords in /etc/shadow) introduce
some security problems that a standalone su can minimize, if not eliminate.
Just to double check, I searched an online version of the bash man page for
the string "su". It never appears, except as part of words like "subshell"
and "substitute".
I hesitate actually to say that you are wrong, Alan, because it is always
possible that I missed something. But I do think it worth asking how
well-based your belief is.
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
2003-07-15 17:26 ` Mr. James W. Laferriere
@ 2003-07-15 18:20 ` Andrew Langdon-Davies
2003-07-15 19:37 ` Ray Olszewski
0 siblings, 1 reply; 17+ messages in thread
From: Andrew Langdon-Davies @ 2003-07-15 18:20 UTC (permalink / raw)
To: linux-newbie
> Now here I'd probably agree IF there is even the slightest doubt
> that the system may have been compromised , Clear it & start
> fresh . Be extremely careful of re-applying the user(s) data .
> Hth , JimL
> ...snip...
I know this is a very wide-open question, but how likely really is it that
my system has been compromised? I use a coyote firewall on a dedicated 486
with a dial-up ppp connection. I connect a few hours every day and I
actually switch off the modem at night. There are two machines behind the
coyote and only one is giving signs of anything odd (the one I was messing
about on the other day just before the problems started).
By the way, Lilo is behaving perfectly again.
But what about the
'stderr is not a tty - where are you?'
???
TY
Andrew
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
2003-07-15 18:20 ` Andrew Langdon-Davies
@ 2003-07-15 19:37 ` Ray Olszewski
[not found] ` <oprseazgwzhmmv6x@smtp.arrakis.es>
0 siblings, 1 reply; 17+ messages in thread
From: Ray Olszewski @ 2003-07-15 19:37 UTC (permalink / raw)
To: linux-newbie
At 08:20 PM 7/15/2003 +0200, Andrew Langdon-Davies wrote:
>> Now here I'd probably agree IF there is even the slightest doubt
>> that the system may have been compromised , Clear it & start
>> fresh . Be extremely careful of re-applying the user(s) data .
>> Hth , JimL
>>...snip...
>I know this is a very wide-open question, but how likely really is it that
>my system has been compromised? I use a coyote firewall on a dedicated 486
>with a dial-up ppp connection. I connect a few hours every day and I
>actually switch off the modem at night. There are two machines behind the
>coyote and only one is giving signs of anything odd (the one I was messing
>about on the other day just before the problems started).
You are right to ask this question. "Reinstall the OS" is easy to say, but
time-consuming to do. Especially if the system is at all customized (and
what system isn't?).
Assuming the machines are physically secure (so we can rule out a *local*
compromise ... you don't say if, for example, you have a teen-ager in the
house), the likelihood of a compromise in this setting is extremely low.
Your IP address probably changes every time you connect. Unless you are
forwarding ports from the router to the Slackware host, no off-site machine
an initiate a connection to that host, even if something on the Slackware
host is listening (the NAT prevents it).
Unaddresed possibilities do include:
1. That you somehow were tricked into downloading and installing a trojan
app on the Slackware host. This is unlikely if you've stuck to "official"
Slackware update sites, and not even all that likely if you've downloaded
the sourcve of well-known apps from their sites and installed them. But if
you installed anything obscure, consider it carefully.
2. You don't say what the other system is, so I'll assume the worst, that
it runs Windows. Here, the potential for compromise is greater ... more
trojans target Windows, and active-content capabilities in the core apps
are an easy vector for contamination, and P2P and IM applications are good
at making hols in firewalls. So there too, consider what has been
downloaded. (Once any machine on the LAN is compromised, you have to allow
for the possibility that it provided a path to compromise other machines.)
3. The Coyote firewall/router may have been compromised. I haven't looked
at Coyote for years, so I don't know if it is keeping up with security
patches. How risky this is depends on what the firewall/router runs, but
risk candidates include kernel-level problems, BIND problems, ssh problems
... that's what I can think of offhand.
None of us has the information needed to assess these risks. You do.
>By the way, Lilo is behaving perfectly again.
>But what about the
>'stderr is not a tty - where are you?'
I tried a few things here and could not get that message to turn up. But my
Debian systems are different in detail from your Slackware system, so
that's not definitive. Normally, whan you start X from a console (using
startx, most often), both STDOUT and STDERR are mapped to that console.
With xdm, there is no console to map them to, so an xdm start **might**
generate that sort of message (does your xdm have a small window, probably
in the lower right, that logs info? if not, this guess gets more
convincing). Or they might be an old leftover of some time when that userid
tried to start X in some way that did not work. But the really odd thing is
that there is no reason why STDERR *should* be a tty; it is common to
redirect STDERR to a file (in fact, it is a common practice when debugging
X problems). So the message is, in a way, objecting to a commonplace practice.
In the absence of something else suggestive (and the other symptoms you've
discussed here do not count), I would disregard this one.
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
[not found] ` <oprseazgwzhmmv6x@smtp.arrakis.es>
@ 2003-07-16 8:55 ` Andrew Langdon-Davies
0 siblings, 0 replies; 17+ messages in thread
From: Andrew Langdon-Davies @ 2003-07-16 8:55 UTC (permalink / raw)
To: linux-newbie
>>
>> Unaddresed possibilities do include:
>>
>> 1. That you somehow were tricked into downloading and installing a
>> trojan app on the Slackware host. This is unlikely if you've stuck to
>> "official" Slackware update sites, and not even all that likely if
>> you've downloaded the sourcve of well-known apps from their sites and
>> installed them. But if you installed anything obscure, consider it
>> carefully.
> I'll check that out.
>>
>> 2. You don't say what the other system is, so I'll assume the worst,
>> that it runs Windows.
> Mandrake 9.0. There's a WinXP installation on it but I haven't run it for
> months.
>>
>> 3. The Coyote firewall/router may have been compromised. I haven't
>> looked at Coyote for years, so I don't know if it is keeping up with
>> security patches. How risky this is depends on what the firewall/router
>> runs, but risk candidates include kernel-level problems, BIND problems,
>> ssh problems ... that's what I can think of offhand.
> I'll check that out too.
>>
>>> 'stderr is not a tty - where are you?'
>>
>> With xdm, there is no console to map them to, so an xdm start **might**
>> generate that sort of message (does your xdm have a small window,
>> probably in the lower right, that logs info?
> No
> if not, this guess gets more
>> convincing). Or they might be an old leftover of some time when that
>> userid tried to start X in some way that did not work. But the really
>> odd thing is that there is no reason why STDERR *should* be a tty; it is
>> common to redirect STDERR to a file (in fact, it is a common practice
>> when debugging X problems). So the message is, in a way, objecting to a
>> commonplace practice.
> More info:
> cat lastlog:
> ~?tty30?pts/1(fqdn Mandrake9.0 machine)sh-2.05b$
> The file is 292292 bytes. This message could have something to do with a
> tunnel I was trying at a time when the Slackware host was running a
> different (Suse) installation. Right?
> cat faillog:
> pts/0ü
> ?tty5
> 1/4?
> (The 1/4 actually appears in small script without the slash). The file is
> 24024 bytes.
> Translation anyone?
> TIA,
> Andrew
>
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
2003-07-15 17:06 ` Alan Bort
2003-07-15 17:26 ` Mr. James W. Laferriere
2003-07-15 17:29 ` Ray Olszewski
@ 2003-07-17 1:11 ` Stephen Samuel
2003-07-17 10:55 ` Andrew Langdon-Davies
2 siblings, 1 reply; 17+ messages in thread
From: Stephen Samuel @ 2003-07-17 1:11 UTC (permalink / raw)
To: 333101, linux-newbie
I haven't had the timer for a full report, but, althought I'm not
CLEAR that his box has been rooted, things like minor changes to
su, and other wierd things failing are signs of a rootkit (yes,
a clumsy one) being installed. Having su suddenly start to
give different messages is a sign that SOMEBODY has changed
SOMETHING.
If you can't show that you changed it, then you have to presume
that somebody else has.
At the very least, I think he should run something like chkrootkit to see
if any well-known root kit is being used.
Alan Bort wrote:
> Well... I think bash actually has a builtin su... so if you reinstall
> bash (not a very big package anyway)... it might help. since you've
> already installed shadow again...
>
> Anyway... I agee with the (quote)'I'd just load a new OS and migrate the
> user data over to it.'(/quote) idea...
>
> El mar, 15-07-2003 a las 12:38, Andrew Langdon-Davies escribió:
>
>>>>>It sounds to me like you've been rooted, and somebody installed
>>>>>a trojan. I'd do a full hunt for signs of a rootkit. When in
>>>>>doubt (especially if there are ony a few people on your system),
>>>>>I'd just load a new OS and migrate the user data over to it.
>>>
>>>I don't want to sound like Pollyanna, but interpreting your initial
>>>trouble report as evidence of a breakin seems to me like an enormous
>>>leap.
>>>
>>>>I thought reinstalling shadow had put everything right, but there are
>>>>still hiccups. For example, although I can now su again --that is, it
>>>>now recognises the password-- if I give the wrong password I still get
>>>>just 'sorry'.
--
Stephen Samuel +1(604)876-0426 samuel@bcgreen.com
http://www.bcgreen.com/~samuel/
Powerful committed communication. Transformation touching
the jewel within each person and bring it to life.
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
2003-07-17 1:11 ` Stephen Samuel
@ 2003-07-17 10:55 ` Andrew Langdon-Davies
0 siblings, 0 replies; 17+ messages in thread
From: Andrew Langdon-Davies @ 2003-07-17 10:55 UTC (permalink / raw)
To: linux-newbie
On Wed, 16 Jul 2003 18:11:10 -0700, Stephen Samuel <samuel@bcgreen.com>
wrote:
> I haven't had the timer for a full report, but, althought I'm not
> CLEAR that his box has been rooted, things like minor changes to
> su, and other wierd things failing are signs of a rootkit (yes,
> a clumsy one) being installed. Having su suddenly start to
> give different messages is a sign that SOMEBODY has changed
> SOMETHING.
It's not actually certain it has.
> At the very least, I think he should run something like chkrootkit to see
> if any well-known root kit is being used.
I've taken your advice here and the only possible anomaly it comes up with
is "Warning: '//root/.sc_history' file size is zero".
All the rest is "nothing found", "not infected", "nothing detected", "not
found", and "nothing deleted". Search for uspicious files and directories
turns up 2 .packlist files, which I gather is fairly normal. One is
identical to the one on the installation CD and the other corresponds with
the Foo-matic packet I installed.
Now can I relax and have a beer?
Thanks,
Andrew
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: su fails
@ 2003-07-15 18:08 beolach
0 siblings, 0 replies; 17+ messages in thread
From: beolach @ 2003-07-15 18:08 UTC (permalink / raw)
To: linux-newbie
--- Ray Olszewski <ray@comarre.com> wrote:
>>
>>I thought reinstalling shadow had put everything right, but there are
>>still hiccups. For example, although I can now su again --that is, it
>>now
>>recognises the password-- if I give the wrong password I still get
>>just 'sorry'.
>
>I presume you mean "Sorry." This is not a quibble; it is an example of >the
>kind of thing (a capitalization difference, and a missing period) you >look
>for to spot a (clumsy) trojan. But whether your result matches what >Richard
>and I expect matters less than whether it has changed from what it used >to
>do (or, if you don't remember, what a similar Slackware system normally
>does). Linux systems do vary in their details, and I don't run >Slackware
>here, so expecting my responses to match yours *exactly* is too much to >ask
>... certainly not a justification for reinstalling the OS.
I am currently usung Slackware 9.0, and on my (I'm pretty sure)
uncomprommised system a su failure only outputs "Sorry." So I think
that this is normal for Slackware.
My brother is having a vaguely similar problem to this, but he is
unable to sign in as any non-root user, either through normal login,
su, or anything else. I don't remember all of the details, and he
refuses to stop playing games (under M$ Windows :( ), so I can't really
ask for much help. Once I can get the details from him, I'll start a
new thread.
Thank's in advance,
Conway S. Smith
________________________________________________________________
The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2003-07-17 10:55 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-14 11:04 su fails Andrew Langdon-Davies
2003-07-14 15:15 ` Ray Olszewski
[not found] ` <oprsa696n7hmmv6x@smtp.arrakis.es>
2003-07-14 17:52 ` Andrew Langdon-Davies
2003-07-14 18:23 ` pa3gcu
2003-07-14 18:48 ` Andrew Langdon-Davies
[not found] ` <3F133105.7010309@bcgreen.com>
2003-07-15 10:20 ` Andrew Langdon-Davies
2003-07-15 15:13 ` Ray Olszewski
2003-07-15 16:38 ` Andrew Langdon-Davies
2003-07-15 17:06 ` Alan Bort
2003-07-15 17:26 ` Mr. James W. Laferriere
2003-07-15 18:20 ` Andrew Langdon-Davies
2003-07-15 19:37 ` Ray Olszewski
[not found] ` <oprseazgwzhmmv6x@smtp.arrakis.es>
2003-07-16 8:55 ` Andrew Langdon-Davies
2003-07-15 17:29 ` Ray Olszewski
2003-07-17 1:11 ` Stephen Samuel
2003-07-17 10:55 ` Andrew Langdon-Davies
2003-07-15 18:08 beolach
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.