I have very weird problem on one of the RHE4-4 servers: /bin/su accept any password for authentication. I have compared md5 checksum of the binary with working machines, it was all right. Then I upgraded coreutils rpm package to newer one, but that didn't fix the issue. If I ssh to root, it requires real password. I guess the computer got cracked. Reinstallation is not an option now. Please advise.

Thanks.

And it's not say PAM misconfiguration?


You should compare with RPM contents from a trusted remote source, not running machines.


Great. Overwriting the package removes all traces of tampering, effectively annulling your own investigative efforts.


Next mistake (hope you learn from them) SSH as root account user is NOT a SOP!


Don't assume, make certain. Use the "Intruder Detection Checklist (CERT)" http://www.cert.org/tech_tips/intrud...checklist.html as starting point.


What does that mean? That you value anything over the security of your customers data and reliability of your servers?


Oh, and welcome to LQ, hope you like it here.

Oh, I cracked the box by myself While migration from nis to openldap i changed pam configuration. Thank you for the hint.
That's not production server, but development one and it's connected to internal network only. However there're a lot of people have unix account on this box and they get connections from multiple offices. That's almost impossible to investigate all the connections, because we don't have any intrusion detection for internal boxes.
However my question was not related to investigation process. I was asking about preventing /bin/su to work with no password?
Thank you anyway.

No, but investigation *should* be a first reflex when encountering this type of anomalies. Since you explained you modded your PAM config the answer to your question is to mod it back ;-p

Moved: This thread is more suitable in the Linux Security forum and has been moved accordingly to help your thread/question get the exposure it deserves.

FYI, you can validate a file against the source rpm on the CD/DVD installation source.

Use the -p option for package.

Example
rpm -qVp opensuse/suse/x86_64/coreutils-6.9-43.x86_64.rpm

I keep the installation dvd iso image in it's own partition so I don't have to grab the DVD. This is a bit of compromise but I don't think that would be as easy to hack given it's size, and because iso6990 is a read only filesystem.

If a hacker has compromised another computer on the local network, that could be used to launch an attack against the server. I think that hackers refer to this as cracking a nut. Hard on the outside, soft and meaty on the inside.

Just to clarify what's happening here, for the among us...

Like many operating systems, Linux offers you options for choosing how you want to handle authentication tasks ... such as determining whether a particular login should be accepted (and where and how to check it, and whether to require things like a badge, a fingerprint-reader, and so on).

The most common way that this is done, these days, is with a very clever system called Pluggable Authentication Modules, or simply "PAM."

As you can see from, say, man pam, this system allows you considerable control in setting-up authentication requests of all kinds .. not just for login, but for anything.

Even if your system uses ordinary passwords (and I sincerely hope that you're using "shadow" passwords), you'll find that the request-handling process is being routed through and controlled by PAM.