Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
#1 I would take a look at the node 10.2.2.97 and see who would be arriving over ssh from that node. I suspect that the root password was changed to attempt to make that link work. If you find out who was working on making that work, you can ask if they changed the root password.
#2 someone had to HAVE root access to change that password. How many people have root access: either via sudo or some other tool for escalation.
#3 assuming you are using sudo : check the sudo logs and see if you can tell who used it about that time.
Without more information about your servers, server usage, local threats (internal as well as external), local security needs and standards I would hesitate to advise you in any more than a general way. I will say that the Red Hat online documentation and security advisories are excellent, and they all apply to the corresponding version of CentOS.
1# 10.2.2.97 is our gateway (router), which is translated from other local subnets. We have other subnets, which is connecting to the Cent OS 6 server. That is OK.
#2 What about scripting? We have about 1000 webhotels in the Plesk installation. My bid is that we have been attacked with earlier Wordpress attacks and there has been a script that can reset the root pw.
# Have checked the sudo log/bash log, nothing to see about theres is runned a command passwd... And either no time stamps.
We are willing to pay to review our setup.
Quote:
Originally Posted by wpeckham
#1 I would take a look at the node 10.2.2.97 and see who would be arriving over ssh from that node. I suspect that the root password was changed to attempt to make that link work. If you find out who was working on making that work, you can ask if they changed the root password.
#2 someone had to HAVE root access to change that password. How many people have root access: either via sudo or some other tool for escalation.
#3 assuming you are using sudo : check the sudo logs and see if you can tell who used it about that time.
Without more information about your servers, server usage, local threats (internal as well as external), local security needs and standards I would hesitate to advise you in any more than a general way. I will say that the Red Hat online documentation and security advisories are excellent, and they all apply to the corresponding version of CentOS.
1) It could be someone in your organization who is able to reboot the system (via ctrl+alt+delete) and boot into single user mode in order to zero out the root password, and or read the /etc/shadow file.
* Countermeasures: Comet out the line ca::ctrlaltdel:/sbin/shutdown -t3 -r now (note this will also legitimately stop you from using ctrl+alt+delete)
2) Look for duplicate root entries in /etc/passswd, or unauthorized entries in /etc/shadow which can provide covert access..
3) The $home/.rhosts file is a prime target as it can allows one to gain entry to any host, from anywhere with the privileges of the userID who contains it in their home directory. This file is intended to specify which remote users can access the BSD r-commands (i.e. rsh, rcp, and rlogin) without a password.. An attacker can add entries to this file by either manually editing it, or running a script that exploits an unsecured CGI script on a web server application that's running on the system. These files aren't enabled by default, but users (including root) can just create on in their home directory which can represent a huge security hole.
* Countermeasures: chmod 600 $/home/.rhosts and change disable=no to disable=yes in the files rexec, rlogin, and rsh (which are in the /etc/xinetd.d directory; system must be rebooted for changes to take effect, or you can restart xinetd via kill -HUP pid#)
4) The /etc/hosts.equiv can be used by an attacker to see which hosts can access services on the local system, and as with the ~/.rhosts file they can read this file and spoof their own IP/hostnames to gain unauthorized access to the local system, or other systems as specified in those files.
* Countermeasures: chmod 600 /etc/hosts.equiv
Last edited by justmy2cents; 08-08-2017 at 03:12 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.