LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-25-2019, 09:30 PM   #1
MALDATA
Member
 
Registered: Mar 2005
Posts: 132

Rep: Reputation: 17
/etc/shadow file has been modified


I'm struggling to understand what might have happened here. I have a Beaglebone on my network that I log into occasionally as a normal user. Every couple months I also log in as root and update the software.

When I tried to do so today, it kept failing to log in as root. I could ssh in as my normal user, but `su -` failed. I use a password manager, so I am 100% sure I'm using the right password. When I look at the modification time of my /etc/shadow file, it claims that the file changed a couple weeks ago. I didn't change any passwords, I didn't apply any updates, and in fact, I barely used the thing since then.

I'm concerned about a few things. One, I have no way to log in as root anymore (yeah, I know, I should've set up sudo). On a regular PC it'd be easy enough to fix, but on a Beaglebone it's going to be more annoying to get into single user mode. Second, if something locked out my root user or changed its password, then I've got a security breach (which seems unlikely, given that my passwords are strong and I'm behind a decent firewall).

Is there anything I might be missing? And more importantly, is there any way to recover aside from hooking up a serial console to the Beaglebone so I can get single-user access?
 
Old 06-26-2019, 01:00 AM   #2
ehartman
Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 953

Rep: Reputation: 498Reputation: 498Reputation: 498Reputation: 498Reputation: 498
Quote:
Originally Posted by MALDATA View Post
When I look at the modification time of my /etc/shadow file, it claims that the file changed a couple weeks ago. I didn't change any passwords, I didn't apply any updates, and in fact, I barely used the thing since then.
If YOU didn't change any passwords (or other info, stored in the shadow file), it is sure somebody did, because the only way /etc/shadow will be recently changed is by someone changing his/her passwd, age info or such OR when a new user has been added to the system (to store the shadow info for that account).
This can be a sign your Beaglebone system has been hacked and the hacker added his own account (to get in remotely) and then changed the root password too.
Look to see if there are new additions to /etc/passwd too.
Without root access you will not be able to look into that shadow file, so you may need that serial console to get back into the system.

Last edited by ehartman; 06-26-2019 at 01:02 AM.
 
Old 06-26-2019, 02:08 AM   #3
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 12,519
Blog Entries: 9

Rep: Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393
Can you reboot into recovery as root?
 
Old 06-26-2019, 09:59 AM   #4
MALDATA
Member
 
Registered: Mar 2005
Posts: 132

Original Poster
Rep: Reputation: 17
Quote:
the only way /etc/shadow will be recently changed is by someone changing his/her passwd, age info or such OR when a new user has been added to the system (to store the shadow info for that account).
This is what I was wondering about. I didn't know if maybe the system regularly did some maintenance that would modify this file.

I mounted the filesystem, chrooted, and fixed my root password so I can get in again. It doesn't look like there are any new users or any obvious unexpected changes... I'm not quite sure what to look for though. I'll do some googling to see what I should check, but it seems like there's no other explanation aside from some kind of breach.

Let me know if you have any other thoughts. Thanks!
 
Old 06-26-2019, 10:19 AM   #5
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
Not really related to your issue but is the deice available on the Internet or otherwise publicly accessible? Who else has access to your network and are any inbound ports open on your firewall?
 
Old 06-27-2019, 10:29 PM   #6
MALDATA
Member
 
Registered: Mar 2005
Posts: 132

Original Poster
Rep: Reputation: 17
Quote:
Not really related to your issue but is the deice available on the Internet or otherwise publicly accessible? Who else has access to your network and are any inbound ports open on your firewall?
Yes, the device was serving a web page (not for public consumption, just a personal project), so it was intentionally accessible from outside my network. However, both the SSH and HTTP ports were forwarded to non-standard port numbers, all passwords were strong, SSL was enabled, and no one outside of my home had access. Obviously having those two ports open is an opportunity for people to gain access, but it's still shocking when it happens. Fortunately there isn't anything sensitive on the device and I have backups.
 
Old 06-28-2019, 12:30 AM   #7
ehartman
Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 953

Rep: Reputation: 498Reputation: 498Reputation: 498Reputation: 498Reputation: 498
Quote:
Originally Posted by MALDATA View Post
This is what I was wondering about. I didn't know if maybe the system regularly did some maintenance that would modify this file.
No, normally not.
But installing some packages will add a special userID for it (like i.e. mysql, apache, sshd, etc) TO the passwd and shadow files. These additions will normally be located at the bottom OF those files.
But, for instance, on MY system both /etc/passwd and /etc/shadow are from 2009, so haven't been changed in the last 10 years.
 
Old 06-28-2019, 06:59 AM   #8
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
Quote:
Originally Posted by MALDATA View Post
Yes, the device was serving a web page (not for public consumption, just a personal project), so it was intentionally accessible from outside my network. However, both the SSH and HTTP ports were forwarded to non-standard port numbers, all passwords were strong, SSL was enabled, and no one outside of my home had access. Obviously having those two ports open is an opportunity for people to gain access, but it's still shocking when it happens. Fortunately there isn't anything sensitive on the device and I have backups.
Agree, no one thinks this will happen. FYI, non-standard ports is not a security measure really, it just deters automated scanners that check standard ports. It absolutely will not deter an experienced human attacker. If possible, you can add source and destination rules to your firewall so that only you can access from an external source. All other traffic will be dropped.
 
Old 07-01-2019, 03:42 AM   #9
JJJCR
Senior Member
 
Registered: Apr 2010
Posts: 1,642

Rep: Reputation: 277Reputation: 277Reputation: 277
/etc/shadow contains password hashes which can be copied and attacker can start guessing the password and compare with the hashes on the file to get the password.

Well, if you changed all the password in the /etc/shadow files. Then even if the crack the hashes it will be render useless since the password has been updated.

If any user change his or her password, i believe /etc/shadow will be modified.

As long as your system is not accessible to the outside world, then I guess you don't need to worry too much but then you need to focus on the internal users who might have some malice intent.
 
Old 07-01-2019, 09:42 AM   #10
ehartman
Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 953

Rep: Reputation: 498Reputation: 498Reputation: 498Reputation: 498Reputation: 498
Quote:
Originally Posted by JJJCR View Post
/etc/shadow contains password hashes which can be copied and attacker can start guessing the password and compare with the hashes on the file to get the password.
But as the file is only readable BY root (or processes in the "shadow" group) that hacker already needs "more then a normal user" access to do so.
Code:
 $ ls -l /etc/shadow
-rw-r----- 1 root shadow 508 2009-06-01 12:00:00 /etc/shadow
Of course, people (ubuntu etc) who have setup sudo without a password only need to have their own account hacked to compromise the whole system.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Legacy Account in /etc/passwd, /etc/shadow and/or /etc/group lalit singhania Linux - Newbie 4 06-07-2012 06:33 AM
[SOLVED] /etc/passwd- & /etc/shadow- & /etc/group- Mr. Alex Linux - Newbie 1 12-31-2010 05:19 AM
/etc/passwd, /etc/shadow, /etc/group? Educate me :)! nutnut Linux - General 4 06-11-2005 07:47 PM
/etc/shadow- (notice the dash after the word shadow) shellcode Linux - Security 1 09-03-2004 04:54 AM
Get directory stats when a file has been modified? marri Programming 2 05-13-2004 08:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration