Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi:
Being in a text console (VT, that is, the screen with 25 x80 chars), say tty1, and just after booting linux, I logged in as usual, typing my password. What happened then astonished me. In Slackware distros, a small quotation from some book is written on screen just after typing the correct password. Well, after typing my password, I could see it split into two halves instead of the quotation.
I think this clearly indicates the presence of a virus in my hard disk. Does it? Regards.
In both circumstances I would assume that the message you got has some escape sequences (commands for the terminal VT) which cause the splitting. Is this reproducible?
In both circumstances I would assume that the message you got has some escape sequences (commands for the terminal VT) which cause the splitting. Is this reproducible?
It is a data base on disk from where the system gets the quotations, not internet. And yes, the file "issue" (may be "motd") contains the string 'Linux x.x.x' and some escape sequences. But the splitting happened only once. more importantly, is the fact the the password was echoed on the VT. Of course, then, it is not reproducible.
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629
Rep:
So, do you know which message in the file (issue?) was to be displayed when the screen split? If so, is there a method to display this again in the same terminal-(type)?
My fault. There are lots of messages, and each session get it own one. Instead of one of the messages getting displayed (there are hundreds of them), the "message" consisted of my password and this, splitted.
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629
Rep:
Understood. What I am driving at is the possibility that one of these messages was garbled in a way to include the escape sequences to split the screen (and simultaneously suppressing the hiding of your password, thus displaying it in clear text). Shouldn't happen and is clearly a bug, but also it is at least a hypothetical explanation of what happened.
But I'm out of my depth here, security gurus to the fore please .
A 'getty' is connected to a TTY, waits for user input and hands the login process over to 'login' which finally hands over control to the users shell. Well-documented as they are you can read that all binaries in this chain of processes handle escape sequences and read different configuration files. On top of that error output may be logged to the screen and syslog. It would be good to know if the OP has verified the integrity of installed core packages, if he has made any modifications to configuration files that relate to the whole login process or shell behaviour, if he has has replaced (or installed PPP/Fax-tty-related) any software and if any syslog log file holds any clues. If no changes were made and no errors get logged I would disable any MotD and try again. If that doesn't work then see what running a forced getty like 'mingetty --noissue tty1' shows.
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629
Rep:
Quote:
Originally Posted by unSpawn
...all binaries in this chain of processes handle escape sequences...
Are these binaries controllable by the escape sequences or do they just hand them to next instance? (That was my original idea. Your hints for the OP are much more concise, thanks for coming to the rescue, unSpawn).
Sorry for the late reply. I wouldn't say "controllable" but that escape sequences in resource or configuration files are used to modify output. Sure it would be a bug if an escape sequence modifies output in a way that it echoes the actual password or pass phrase on stdout but to troubleshoot that properly one should first return resource and configuration files to an earlier or initial state so things don't get obscured.
I warmly acknoledge your suggestion, but bear in mind I'm just a novice. There are two possibilities. This can happen right from a fresh installation, in which case it is clearly a bug, or after a certain period of use, as is my case. If the latter, an appropriate procedure, including your hints, could tell whether there is a bug, although it could not tell if there is not.
If the first, this _must_ be known to the slack guys (unfortunately I use 12.0 and do not want to update any further). Regards.
I'm pretty sure that if this actually was a 12.x bug that it would have been fixed fast in upstream. I've never seen it happen in 12.x or 13.x but then again I run it stock, absolutely no mods.
I'll ask in the slack forum (LQ) for a way to get rid of those quotations, because with or without a bug, I was already tired of them. Once in a while, I see myself forced to read one. And believe me, I'm not at all interested in the high thoughts of Sir Winston Churchill. Have a good Sunday.
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629
Rep:
Quote:
Originally Posted by unSpawn
...I wouldn't say "controllable" but that escape sequences in resource or configuration files are used to modify output...
Yes, that is a more fitting expression. As I understand it by now, at any link of the chain of processes the first binary with the inbuilt capability to process an escape sequence does so (and removes the escape sequence in this process) until all are used up else they are part of the output.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.