Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a RH 9 linux distro that has been working perfectly for quite a while. Unexpectedly when I start it up on RL5 and login through the GUI interface, I was unable to login through any of the user accounts setup on the machine including root.
I keep getting a popup windows stating that "authentication failed". This happens the same for all accounts. I also cannot access any files through samba now.
I have started the machine in RL1 and reset the root password and reboot again back into RL5 but still cannot login.
I could initially login to RL3 and manually start "startx" for an x windows session. But now even that login is refusing me.
I cannot workout why it is giving me so much trouble. I have run out of options within my knowledge.
Have I been hacked?
Does anybody have any ideas? Or if there is not enough info here let me know.
Try rebooting into run-level 1 again and verify the integrity of the packages (especially of the login and pam packages). You can use rpm -Va to verify all of them. Probably would be a good idea to run a scan with chkrootkit or rootkit hunter as well. If that still doesn't turn anything up, try rebooting the system using a "live" cd-based distro and then mount the hd read-only and perform checks of all the login related packages. Also make sure to check for any error messages in the system logs.
BTW with support for RH9 gone, have you been making sure to apply security patches on your own?
Does this mean that the up2date service will not work anymore for the RHN?
I could never really get it working anyway as it kept returning a login error from RHN. This even though I could login to RHN through the web site using same credentials.
This would obviously mean that I was not up to date with security patches.
How do I get these securty patches? Are they similar to a service pack like windows or patches to individual packages?
I was just running rpm -Va from a rescue session on the original installation disk1 and I received a segmentation fault 20 seconds after scanning /etc/squirrelmail/config.php. This does not mean much to me in relation to login issues.
I was not aware that support for RH9 was gone. Where has it gone?
Redhat decided to focus on their Enterprise Editions and offering free versions didn't fit into their business model.
Does this mean that the up2date service will not work anymore for the RHN?
No, up2date won't work any longer with RH9
This would obviously mean that I was not up to date with security patches.
That's not good. Doesn't guarantee a compromise, but it's still not good.
How do I get these securty patches? Are they similar to a service pack like windows or patches to individual packages?
Duke Universities YUM has a RH9 update repository, Progeny offers a fee-based update service or you can manually download files directly from the software distributor.
I was just running rpm -Va from a rescue session on the original installation disk1 and I received a segmentation fault 20 seconds after scanning /etc/squirrelmail/config.php. This does not mean much to me in relation to login issues. The scan will not move beyond that point. Any ideas?
Try just scanning the login and PAM related rpms. To scan individual files, use rpm -V package_name.
Scanned pam and there seemed to be no issues there. If there were how could I tell?
Sorry to have you baby me through this. I am out of my depth at this stage.
What other login packages could I target I am not familiar with any other packages other tham pam?
I realy appreciate your help here as I need this system up and running asap as I run a small web design company and I use this server to host my web sites while I am coding them.
At the moment I cannot produce anything until I get this server working, plus I have alot of work on it. Since this issue I have been looking into backup options so I can easily restore a working system if something like this happens again. I think amanda seems to be the main backup software for linux. I don't have a tap drive but hopefully I can write to CD or DVD.
If the package passes the verification check, there will be no output (it will just return to the command prompt after a few seconds of checking). If the package fails, it will let you know and will output what part of the verification test failed (timestamps, ownership, md5sum, etc). The /bin/login file is usually part of util-linux. You can use the rpm query option to find what version and what rpm provides it:
rpm -q --whatprovides /bin/login
I'd also check the SysVinit package. Given that the system isn't patched, you should absolutely run a check with chkrootkit and/or rootkit hunter as well.
In terms of future directions, depending on what you find, you may just want to do a full re-install from scatch with a distro that is fully supported. The backup strategy is definitely a good idea (even doing something like a redundant backup might be advisable)
Ran both chkrootkit and rootkit hunter. Hunter found some vulnerabilities but that is all.
Looks like a reinstall at this point. Unless there are any more options?
Is there a way to install over the top of this installation and retain my settings for my major apps such as PHP, mysql (plus databases), samba, apache etc?
Hunter found some vulnerabilities but that is all.
Could you post the message?
Looking back at your original post, were you doing anything that might have mangled the accounts, password files, etc? Do the logs indicate any errors?
You might be able to backup some of the config files as long as the versions are the same or if the config files haven't changed between versions. Though if you do backup any files for re-use (including any website files) make sure to visually verify that they haven't been altered. Image files should at least be scanned with some kind of AV to make sure they're clean.
I was just going through the log files in particular the secure.log file and I think I may have found the problem. (The PC I have linux installed also has windows Server 2003 and Windows XP pro so I used a program called Captain Nemo to access the linux partitions from within WinXP.)
Here is the relevent log file:
Code:
Sep 27 00:29:56 linux1 sshd[3448]: Received signal 15; terminating.
Sep 27 09:19:35 linux1 sshd[3448]: Server listening on 0.0.0.0 port 22.
Sep 27 11:07:37 linux1 sshd[3448]: Received signal 15; terminating.
Sep 27 11:25:26 linux1 sshd[3448]: Server listening on 0.0.0.0 port 22.
Sep 28 01:18:18 linux1 sshd[3448]: Received signal 15; terminating.
Sep 28 09:20:59 linux1 sshd[3449]: Server listening on 0.0.0.0 port 22.
Sep 28 11:33:16 linux1 sshd[3449]: Received signal 15; terminating.
Sep 28 11:34:44 linux1 sshd[3450]: Server listening on 0.0.0.0 port 22.
Sep 28 16:51:05 linux1 sshd[3450]: Received signal 15; terminating.
Sep 28 16:55:08 linux1 sshd[3446]: Server listening on 0.0.0.0 port 22.
Sep 28 17:15:08 linux1 gdm-binary[3714]: pam_smb: Incorrect NT password for username : gytre
Sep 28 17:17:14 linux1 gdm-binary[3714]: pam_smb: Incorrect NT password for username : k
Sep 28 17:17:29 linux1 gdm-binary[3714]: pam_smb: Incorrect NT password for username : alex
Sep 28 17:31:17 linux1 sshd[3446]: Received signal 15; terminating.
Sep 28 17:32:36 linux1 sshd[3355]: Server listening on 0.0.0.0 port 22.
Sep 28 17:32:56 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 28 17:32:56 linux1 login: Authentication service cannot retrieve authentication info.
Sep 28 17:33:19 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 28 17:33:19 linux1 login: Authentication service cannot retrieve authentication info.
Sep 28 17:34:29 linux1 sshd[3355]: Received signal 15; terminating.
Sep 28 17:35:56 linux1 sshd[3458]: Server listening on 0.0.0.0 port 22.
Sep 28 17:37:13 linux1 login: pam_ldap: ldap_search_s No such object
Sep 28 18:03:59 linux1 xinetd[3472]: START: sgi_fam pid=3815 from=<no address>
Sep 28 18:06:50 linux1 sshd[3458]: Received signal 15; terminating.
Sep 28 18:08:17 linux1 sshd[3446]: Server listening on 0.0.0.0 port 22.
Sep 28 19:53:10 linux1 gdm-binary[3714]: pam_smb: Incorrect NT password for username : dale
Sep 28 19:53:37 linux1 last message repeated 2 times
Sep 28 19:53:56 linux1 gdm-binary[3714]: pam_smb: Incorrect NT password for username : herty
Sep 28 19:54:17 linux1 sshd[3446]: Received signal 15; terminating.
Sep 28 20:03:12 linux1 sshd[3460]: Server listening on 0.0.0.0 port 22.
Sep 28 20:03:34 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 28 20:03:34 linux1 login: Authentication service cannot retrieve authentication info.
Sep 28 20:04:20 linux1 sshd[3460]: Received signal 15; terminating.
Sep 28 20:05:53 linux1 sshd[3432]: Server listening on 0.0.0.0 port 22.
Sep 28 20:13:19 linux1 login: pam_ldap: ldap_search_s No such object
Sep 28 22:08:00 linux1 sshd[3432]: Received signal 15; terminating.
Sep 28 22:09:25 linux1 sshd[3446]: Server listening on 0.0.0.0 port 22.
Sep 29 00:16:08 linux1 sshd[3446]: Received signal 15; terminating.
Sep 29 09:01:28 linux1 sshd[3448]: Server listening on 0.0.0.0 port 22.
Sep 29 09:05:58 linux1 sshd[3448]: Received signal 15; terminating.
Sep 29 09:07:24 linux1 sshd[3434]: Server listening on 0.0.0.0 port 22.
Sep 29 09:11:13 linux1 login: pam_ldap: ldap_search_s No such object
Sep 29 09:11:29 linux1 xinetd[3449]: START: sgi_fam pid=3754 from=<no address>
Sep 29 09:30:55 linux1 sshd[3434]: Received signal 15; terminating.
Sep 29 09:32:22 linux1 sshd[3448]: Server listening on 0.0.0.0 port 22.
Sep 29 09:35:28 linux1 sshd[3448]: Received signal 15; terminating.
Sep 29 09:36:54 linux1 sshd[3434]: Server listening on 0.0.0.0 port 22.
Sep 29 09:37:52 linux1 login: pam_ldap: ldap_search_s No such object
Sep 29 09:38:12 linux1 xinetd[3449]: START: sgi_fam pid=3748 from=<no address>
Sep 29 17:34:05 linux1 sshd[3434]: Received signal 15; terminating.
Sep 29 17:35:56 linux1 sshd[3565]: Server listening on 0.0.0.0 port 22.
Sep 29 17:36:27 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 29 17:36:27 linux1 login: Authentication service cannot retrieve authentication info.
Sep 29 17:36:51 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 29 17:36:51 linux1 login: Authentication service cannot retrieve authentication info.
Sep 29 17:37:04 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 29 17:37:04 linux1 login: Authentication service cannot retrieve authentication info.
Sep 29 17:37:10 linux1 login[3843]: pam_smb: Incorrect NT password for username : root
Sep 29 17:37:36 linux1 sshd[3565]: Received signal 15; terminating.
Sep 29 17:51:27 linux1 sshd[3563]: Server listening on 0.0.0.0 port 22.
Sep 29 17:52:01 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 29 17:52:01 linux1 login: Authentication service cannot retrieve authentication info.
Sep 29 17:52:09 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 29 17:52:09 linux1 login: Authentication service cannot retrieve authentication info.
Sep 29 17:52:22 linux1 login[3840]: pam_smb: Incorrect NT password for username : root
Sep 29 17:52:33 linux1 login[3840]: pam_smb: Incorrect NT password for username : dale
Sep 29 17:52:40 linux1 login[3840]: pam_smb: Incorrect NT password for username :
Sep 29 17:52:44 linux1 login[3840]: pam_smb: Incorrect NT password for username :
Sep 29 17:53:01 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 29 17:53:01 linux1 login: Authentication service cannot retrieve authentication info.
Sep 29 17:53:14 linux1 login[3846]: pam_smb: Incorrect NT password for username : ROOT
Sep 29 17:53:40 linux1 login[3848]: pam_smb: Incorrect NT password for username : root
Sep 29 18:16:28 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 29 18:16:28 linux1 login: Authentication service cannot retrieve authentication info.
Sep 29 18:34:59 linux1 sshd[3563]: Received signal 15; terminating.
Sep 29 18:36:48 linux1 sshd[3564]: Server listening on 0.0.0.0 port 22.
Sep 29 21:10:13 linux1 sshd[3564]: Received signal 15; terminating.
Sep 29 21:11:52 linux1 sshd[3564]: Server listening on 0.0.0.0 port 22.
Sep 29 21:14:30 linux1 sshd[3564]: Received signal 15; terminating.
Sep 29 21:16:15 linux1 sshd[3564]: Server listening on 0.0.0.0 port 22.
Sep 29 21:19:44 linux1 sshd[3564]: Received signal 15; terminating.
Sep 29 21:22:30 linux1 sshd[3563]: Server listening on 0.0.0.0 port 22.
Sep 29 22:34:44 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 29 22:34:44 linux1 login: Authentication service cannot retrieve authentication info.
Sep 30 00:42:41 linux1 sshd[3563]: Received signal 15; terminating.
I am suspicious of the
Code:
pam_ldap: ldap_simple_bind Can't contact LDAP server
as I am not running an LDAP server as far as I am aware.
You might want to try commenting out any of the pam_ldap entries in the /etc/pam.d/login and /etc/pam.d/system-auth files. You can also try adding authinfo_unavail=ignore to the account entry of the system-auth files as well. If that doesn't work, post the contents of those 2 files. The ssh message is normal.
Last edited by Capt_Caveman; 09-30-2004 at 08:31 AM.
I'd comment them out completely and if that doesn't work, then try adding the "authinfo_unavail=ignore" to the account entry inside the brackets, like:
After adding the "authinfo_unavail=ignore" to the specified line.
You saved my bacon!!
I will now look at following some of the advice listed from your footer link"Security References & HOWTOs". Some interesting and probably essential reading to be done. Your help has enabled me to learn more about my system, thanks.
I will have a look at the updates for my packages from now on.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.