Solved

Login Issues

Posted on 2002-04-01
18
403 Views
Last Modified: 2013-12-16
I am running Red Hat 7.2 (Enigma) Kernal 2.4.7-10 on an i686 Dell Poweredge.  Everything was working fine, I could boot up to command prompt and log in there, telnet was fine.  Now I am having problems.  When I boot up to a command prompt, if i type a username and press enter it just asks again and again.  If I telnet in, I get the banner but no login prompt.  I changed my init file to boot into xwindows and I am fine there - but what on earth has happened??  I am very new at Linux.  Thanks for your time!
0
Comment
Question by:coreyuf
  • 6
  • 5
  • 3
  • +3
18 Comments
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Something to do with authentication methods isn't quite right. What are the contents of /etc/sysconfig/authconfig, /etc/nsswitch.conf, /etc/pam.d/login, and /etc/pam.d/passwd?
0
 

Author Comment

by:coreyuf
Comment Utility
Here are the contents:


authconfig:
USEHESIOD=no
USELDAP=no
USEMD5=yes
USENIS=no
USEKERBEROS=no
USELDAPAUTH=no
USESHADOW=yes
USESMBAUTH=no



nsswitch.conf
 Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files nisplus
shadow:     files nisplus
group:      files nisplus

#hosts:     db files nisplus nis dns
hosts:      files nisplus dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files nisplus
rpc:        files
services:   files nisplus


/etc/pam.d/login
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so





netgroup:   files nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus




/etc/pam.d/passwd
%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth




Does this help?
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
I can see from the above that authentication is properly configured, so something else is going on.

Does this failure occur for all users, including root?

Has anything on the system been changed recently, like up2date being used, software installed, etc?

What do you see if you do 'ls -l /bin/login'?
0
 

Author Comment

by:coreyuf
Comment Utility
The strange thing is that if I use the program Secure CRT from inside my network using ssh1 port 22 I can connect.  If i boot direct to command prompt it won't let me log in no matter what I type for username it just gives me another user name prompt (not even a password prompt comes up).  If I telnet in it hangs on the banner.

Here what comes up in teh /bin/login

[root@WEBSERV root]# ls -l /bin/login
-rwxr-xr-x   1 root     root        12692 Jan  3 10:33 /bin/login
[root@WEBSERV root]#

Thanks for your help.
0
 

Author Comment

by:coreyuf
Comment Utility
The strange thing is that if I use the program Secure CRT from inside my network using ssh1 port 22 I can connect.  If i boot direct to command prompt it won't let me log in no matter what I type for username it just gives me another user name prompt (not even a password prompt comes up).  If I telnet in it hangs on the banner.

Here what comes up in teh /bin/login

[root@WEBSERV root]# ls -l /bin/login
-rwxr-xr-x   1 root     root        12692 Jan  3 10:33 /bin/login
[root@WEBSERV root]#

Thanks for your help.
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
I hate to say this, but I suspect that your system has been cracked. The file size and date for the login executable looks wrong. On every 7.2 box that I have I get:

wilowisp> ls -l /bin/login
-rwxr-xr-x    1 root     root        18572 Dec  4 17:55 /bin/login*

I suspect that someone has broken in and installed a root kit and possibly botched the installation. If you run 'rpm -Va" I suspect that you'll find that a number of things show up with the wrong size and file mode and proably the wrong checksum.

FYI: The reason that the GUI login and ssh logins work and local console and telnet don't is that the former don't use login for authentication. The X session manager and ssh go directly to pam to authenticate the user.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
nice info: "FYI: The reason that the GUI login and ssh ..."
Thanks.
0
 

Author Comment

by:coreyuf
Comment Utility
It was shipped to me two weeks ago - do you think that it could have happened in that time?  Maybe Dell botched the installation?  The only thing I've installed is Cold Fusion server, which crashed twice and I reinstalled.  Here's what i see when i rpm -Va.

Thanks again for your help.  


rpm -Va
.......T   /etc/X11/applnk/Documentation/Linux Community/howto.desktop
..5....T c /etc/mime.types
S.5....T c /etc/printcap
..?..... c /etc/securetty
..?.....   /usr/bin/sperl5.6.0
..?.....   /usr/bin/suidperl
..?.....   /usr/sbin/tcpd
S.5.....   /usr/bin/killall
S.5.....   /usr/bin/pstree
.M......   /dev/shm
......G.   /dev/tty0
.M....G.   /dev/tty1
.M....G.   /dev/tty2
.M....G.   /dev/tty3
.M....G.   /dev/tty4
.M....G.   /dev/tty5
.M....G.   /dev/tty6
......G.   /dev/tty7
......G.   /dev/tty8
S.5....T c /etc/pam.d/system-auth
..?.....   /lib/security/pam_filter/upperLOWER
S.5....T   /usr/share/kudzu/pcitable
SM5....T c /etc/httpd/conf/httpd.conf
..?.....   /usr/sbin/suexec
.M...UG.   /var/www/html
SM5..UGT c /var/www/html/index.html
.M......   /var/www/html/poweredby.png
S.5....T c /etc/mail/statistics
..?.....   /usr/sbin/stunnel
..?.....   /usr/bin/gataxx
..?.....   /usr/bin/glines
..?.....   /usr/bin/gnibbles
..?.....   /usr/bin/gnobots2
..?.....   /usr/bin/gnome-stones
..?.....   /usr/bin/gnomine
..?.....   /usr/bin/gnotravex
..?.....   /usr/bin/gnotski
..?.....   /usr/bin/gtali
..?.....   /usr/bin/iagno
..?.....   /usr/bin/mahjongg
..?.....   /usr/bin/same-gnome
.M......   /dev/shm
S.5....T   /lib/modules/2.4.7-10/kernel/drivers/net/e100.o
S.5....T   /lib/modules/2.4.7-10/kernel/drivers/net/e1000.o
S.5....T   /boot/kernel.h-2.4.7
Unsatisfied dependencies for e1000-3.1.22-1: linuxconf
..?.....   /usr/sbin/userhelper
S.5....T   /usr/share/serviceconf/CheckList.pyc
S.5....T   /usr/share/serviceconf/servicemethods.pyc
S.5....T   /usr/share/serviceconf/translate.pyc
..?..... c /etc/ftpaccess
..?..... c /etc/ftpconversions
..?..... c /etc/ftpgroups
..?..... c /etc/ftphosts
S.?....T c /etc/ftpusers
S.5....T c /etc/xinetd.d/wu-ftpd
.......T   /etc/X11/applnk/Documentation/Linux Community/howto.desktop
.......T   /etc/X11/applnk/Documentation/Linux Community/howto.desktop
.M.....T   /usr/share/icons/locolor/16x16/apps/ktimemon.png
.M.....T   /usr/share/icons/locolor/32x32/apps/ktimemon.png
......G. c /etc/dumpdates
..?.....   /usr/sbin/glibc_post_upgrade
..?.....   /usr/bin/finger
S.5.....   /bin/netstat
S.5.....   /sbin/ifconfig
..?..... c /etc/default/useradd
S.5....T c /etc/termcap
..?..... c /etc/at.deny
missing    /var/spool/at/.SEQ
missing    /var/spool/at/spool
..?..... c /etc/ntp/keys
S.5.....   /bin/ps
S.5.....   /usr/bin/top
..?.....   /usr/bin/passwd
S.5....T c /usr/share/a2ps/afm/fonts.map
S.5....T c /etc/krb.conf
missing    /etc/httpd/conf/ssl.crl/Makefile.crl
missing    /etc/httpd/conf/ssl.crt/Makefile.crt
missing    /etc/httpd/conf/ssl.crt/ca-bundle.crt
missing    /etc/httpd/conf/ssl.crt/snakeoil-ca-dsa.crt
missing    /etc/httpd/conf/ssl.crt/snakeoil-ca-rsa.crt
missing    /etc/httpd/conf/ssl.crt/snakeoil-dsa.crt
missing    /etc/httpd/conf/ssl.crt/snakeoil-rsa.crt
missing    /etc/httpd/conf/ssl.key/snakeoil-ca-dsa.key
missing    /etc/httpd/conf/ssl.key/snakeoil-ca-rsa.key
missing    /etc/httpd/conf/ssl.key/snakeoil-dsa.key
missing    /etc/httpd/conf/ssl.key/snakeoil-rsa.key
missing    /etc/httpd/conf/ssl.prm/snakeoil-ca-dsa.prm
missing    /etc/httpd/conf/ssl.prm/snakeoil-dsa.prm
missing    /var/cache/ssl_gcache_data.dir
missing    /var/cache/ssl_gcache_data.pag
missing    /var/cache/ssl_gcache_data.sem
.M......   /var/www/html/manual/mod/mod_ssl/apache_pb.gif
.M......   /var/www/html/manual/mod/mod_ssl/feather.jpg
.M......   /var/www/html/manual/mod/mod_ssl/index.html
.M......   /var/www/html/manual/mod/mod_ssl/mod_ssl_sb.gif
.M......   /var/www/html/manual/mod/mod_ssl/openssl_ics.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_compat.gfont000.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_compat.html
.M......   /var/www/html/manual/mod/mod_ssl/ssl_cover_logo.jpg
.M......   /var/www/html/manual/mod/mod_ssl/ssl_cover_title.jpg
.M......   /var/www/html/manual/mod/mod_ssl/ssl_faq.gfont000.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_faq.html
.M......   /var/www/html/manual/mod/mod_ssl/ssl_glossary.html
.M......   /var/www/html/manual/mod/mod_ssl/ssl_howto.gfont000.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_howto.html
.M......   /var/www/html/manual/mod/mod_ssl/ssl_intro.gfont000.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_intro.html
.M......   /var/www/html/manual/mod/mod_ssl/ssl_intro_fig1.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_intro_fig2.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_intro_fig3.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_overview.gfont000.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_overview.html
.M......   /var/www/html/manual/mod/mod_ssl/ssl_overview_fig1.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_reference.gfont000.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_reference.html
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.head-chapter.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.head-num-1.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.head-num-2.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.head-num-3.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.head-num-4.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.head-num-5.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.head-num-6.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.head-num-7.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.imgdot-1x1-000000.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.imgdot-1x1-transp.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.navbut-next-n.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.navbut-next-s.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.navbut-prev-n.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.navbut-prev-s.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-abstract.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-compat.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-faq.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-gloss.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-howto.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-intro.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-over.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-preface.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-ref.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-toc.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-tutor.gif
S.5....T c /etc/openldap/ldap.conf
S.5....T c /etc/ldap.conf
..?.....   /usr/bin/sudo
..?..... c /etc/ppp/peers/wvdial
S.5....T   /usr/lib/mozilla/chrome/installed-chrome.txt
S.5....T c /etc/php.ini
S.5....T c /etc/rc.d/init.d/reconfig
.......T   /bin/arch
.......T   /bin/dmesg
.......T   /bin/kill
S.5....T   /bin/login
..?.....   /usr/bin/chfn
..?.....   /usr/bin/chsh
..?.....   /usr/bin/newgrp
..?..... c /var/lib/amanda/.amandahosts
S.?..... c /etc/rndc.conf
S.?..... c /etc/rndc.key
..?.....   /sbin/ipppd
..?..... c /etc/ssh/primes
..?..... c /etc/pam.d/sshd
..?..... c /etc/ssh/sshd_config
S.?....T c /etc/alchemist/namespace/apache/local.adl
..?..... c /etc/alchemist/namespace/apache/rpm.adl
..?..... c /etc/alchemist/switchboard/apache.switchboard.adl
S.5....T   /usr/share/AbiSuite/fonts/fonts.dir
.M...... c /etc/X11/XF86Config-4
..?.....   /usr/X11R6/bin/XFree86
..?.....   /usr/X11R6/bin/Xwrapper
SM5....T   /usr/X11R6/lib/X11/fonts/Speedo/encodings.dir
SM5....T   /usr/X11R6/lib/X11/fonts/Type1/encodings.dir
SM5....T c /usr/X11R6/lib/X11/fonts/100dpi/encodings.dir
S.5....T c /etc/xinetd.d/telnet
md5sum: /var/ftp/bin/*: No such file or directory
grep: /var/ftp/bin/bin.md5: Permission denied
5.......   /var/ftp/bin/*
grep: /var/ftp/lib/libs.md5: Permission denied
5.......   /var/ftp/lib/libc-2.2.4.so
grep: /var/ftp/lib/libs.md5: Permission denied
5.......   /var/ftp/lib/libnsl-2.2.4.so
grep: /var/ftp/lib/libs.md5: Permission denied
5.......   /var/ftp/lib/libnss_files-2.2.4.so
grep: /var/ftp/lib/libs.md5: Permission denied
5.......   /var/ftp/lib/libtermcap.so.2.0.8
S.5....T c /root/.gnome/Background
.......T c /root/.kde/share/config/desktop0rc
.......T c /root/.kde/share/config/desktop1rc
.......T c /root/.kde/share/config/desktop2rc
.......T c /root/.kde/share/config/desktop3rc
.......T c /root/Desktop/www.dell.com.kdelnk
.......T   /usr/share/apps/kfind/icons/locolor/22x22/actions/archive.png
.......T   /usr/share/apps/kfind/icons/locolor/22x22/actions/delete.png
.......T   /usr/share/apps/kfind/icons/locolor/22x22/actions/idea.png
.......T   /usr/share/apps/kfind/icons/locolor/22x22/actions/info.png
.......T   /usr/share/apps/kfind/icons/locolor/22x22/actions/openfile.png
.......T   /usr/share/apps/kfind/icons/locolor/22x22/actions/save.png
.......T   /usr/share/apps/kfind/icons/locolor/22x22/actions/search.png
.......T c /etc/yp.conf
..?.....   /usr/libexec/pt_chown
.......T   /etc/X11/applnk/Documentation/Linux Community/howto.desktop
..?.....   /etc/X11/applnk/System/setuptool.desktop
S.5....T c /etc/crontab
S.5.....   /bin/ls
S.5.....   /usr/bin/dir
S.5.....   /usr/bin/du
S.5.....   /usr/bin/vdir
..?..... c /etc/mgetty+sendfax/dialin.config
..?..... c /etc/mgetty+sendfax/login.config
..?..... c /etc/mgetty+sendfax/mgetty.config
..?.....   /sbin/mgetty
..?.....   /usr/sbin/callback
S.?....T c /etc/ppp/chap-secrets
S.?....T c /etc/ppp/pap-secrets
.......T c /etc/krb5.conf
.M......   /var/www/html/manual/mod/mod_perl.html
.M......   /var/www/html/manual/mod/mod_perl/mod_perl_api.html
.M......   /var/www/html/manual/mod/mod_perl/mod_perl_cgi.html
.M......   /var/www/html/manual/mod/mod_perl/mod_perl_faq.html
.M......   /var/www/html/mrtg/cfgmaker.html
.M......   /var/www/html/mrtg/contrib.html
.M......   /var/www/html/mrtg/faq.html
.M......   /var/www/html/mrtg/forum.html
.M......   /var/www/html/mrtg/index.html
.M......   /var/www/html/mrtg/indexmaker.html
.M......   /var/www/html/mrtg/logfile.html
.M......   /var/www/html/mrtg/mibhelp.html
.M......   /var/www/html/mrtg/mrtg-l.png
.M......   /var/www/html/mrtg/mrtg-m.png
.M......   /var/www/html/mrtg/mrtg-r.png
.M......   /var/www/html/mrtg/mrtg-rrd.html
.M......   /var/www/html/mrtg/mrtg-ti.png
.M......   /var/www/html/mrtg/mrtg.html
.M......   /var/www/html/mrtg/nt-guide.html
.M......   /var/www/html/mrtg/reference.html
.M......   /var/www/html/mrtg/squid.html
.M......   /var/www/html/mrtg/unix-guide.html
.M......   /var/www/html/mrtg/webserver.html
..5....T c /etc/inittab
S.5....T c /etc/rc.d/rc.sysinit
S.5....T c /usr/share/pci.ids
..?..... c /etc/alchemist/namespace/dns/local.adl
..?..... c /etc/alchemist/switchboard/dns.switchboard.adl
S.5....T   /usr/share/bindconf/FwdZone.pyc
S.5....T   /usr/share/bindconf/dnsdata.pyc
S.5....T   /usr/share/bindconf/dnsdata_base.pyc
.M......   /var/www/html/usage/msfree.png
.M......   /var/www/html/usage/webalizer.png
SM5....T c /usr/X11R6/lib/X11/fonts/75dpi/encodings.dir
..?.....   /usr/sbin/in.fingerd
S.5....T c /etc/xinetd.d/talk
..?.....   /usr/sbin/in.ntalkd
.......T c /etc/X11/xdm/Xsetup_0
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:coreyuf
Comment Utility
It was shipped to me two weeks ago - do you think that it could have happened in that time?  Maybe Dell botched the installation?  The only thing I've installed is Cold Fusion server, which crashed twice and I reinstalled.  Here's what i see when i rpm -Va.

Thanks again for your help.  


rpm -Va
.......T   /etc/X11/applnk/Documentation/Linux Community/howto.desktop
..5....T c /etc/mime.types
S.5....T c /etc/printcap
..?..... c /etc/securetty
..?.....   /usr/bin/sperl5.6.0
..?.....   /usr/bin/suidperl
..?.....   /usr/sbin/tcpd
S.5.....   /usr/bin/killall
S.5.....   /usr/bin/pstree
.M......   /dev/shm
......G.   /dev/tty0
.M....G.   /dev/tty1
.M....G.   /dev/tty2
.M....G.   /dev/tty3
.M....G.   /dev/tty4
.M....G.   /dev/tty5
.M....G.   /dev/tty6
......G.   /dev/tty7
......G.   /dev/tty8
S.5....T c /etc/pam.d/system-auth
..?.....   /lib/security/pam_filter/upperLOWER
S.5....T   /usr/share/kudzu/pcitable
SM5....T c /etc/httpd/conf/httpd.conf
..?.....   /usr/sbin/suexec
.M...UG.   /var/www/html
SM5..UGT c /var/www/html/index.html
.M......   /var/www/html/poweredby.png
S.5....T c /etc/mail/statistics
..?.....   /usr/sbin/stunnel
..?.....   /usr/bin/gataxx
..?.....   /usr/bin/glines
..?.....   /usr/bin/gnibbles
..?.....   /usr/bin/gnobots2
..?.....   /usr/bin/gnome-stones
..?.....   /usr/bin/gnomine
..?.....   /usr/bin/gnotravex
..?.....   /usr/bin/gnotski
..?.....   /usr/bin/gtali
..?.....   /usr/bin/iagno
..?.....   /usr/bin/mahjongg
..?.....   /usr/bin/same-gnome
.M......   /dev/shm
S.5....T   /lib/modules/2.4.7-10/kernel/drivers/net/e100.o
S.5....T   /lib/modules/2.4.7-10/kernel/drivers/net/e1000.o
S.5....T   /boot/kernel.h-2.4.7
Unsatisfied dependencies for e1000-3.1.22-1: linuxconf
..?.....   /usr/sbin/userhelper
S.5....T   /usr/share/serviceconf/CheckList.pyc
S.5....T   /usr/share/serviceconf/servicemethods.pyc
S.5....T   /usr/share/serviceconf/translate.pyc
..?..... c /etc/ftpaccess
..?..... c /etc/ftpconversions
..?..... c /etc/ftpgroups
..?..... c /etc/ftphosts
S.?....T c /etc/ftpusers
S.5....T c /etc/xinetd.d/wu-ftpd
.......T   /etc/X11/applnk/Documentation/Linux Community/howto.desktop
.......T   /etc/X11/applnk/Documentation/Linux Community/howto.desktop
.M.....T   /usr/share/icons/locolor/16x16/apps/ktimemon.png
.M.....T   /usr/share/icons/locolor/32x32/apps/ktimemon.png
......G. c /etc/dumpdates
..?.....   /usr/sbin/glibc_post_upgrade
..?.....   /usr/bin/finger
S.5.....   /bin/netstat
S.5.....   /sbin/ifconfig
..?..... c /etc/default/useradd
S.5....T c /etc/termcap
..?..... c /etc/at.deny
missing    /var/spool/at/.SEQ
missing    /var/spool/at/spool
..?..... c /etc/ntp/keys
S.5.....   /bin/ps
S.5.....   /usr/bin/top
..?.....   /usr/bin/passwd
S.5....T c /usr/share/a2ps/afm/fonts.map
S.5....T c /etc/krb.conf
missing    /etc/httpd/conf/ssl.crl/Makefile.crl
missing    /etc/httpd/conf/ssl.crt/Makefile.crt
missing    /etc/httpd/conf/ssl.crt/ca-bundle.crt
missing    /etc/httpd/conf/ssl.crt/snakeoil-ca-dsa.crt
missing    /etc/httpd/conf/ssl.crt/snakeoil-ca-rsa.crt
missing    /etc/httpd/conf/ssl.crt/snakeoil-dsa.crt
missing    /etc/httpd/conf/ssl.crt/snakeoil-rsa.crt
missing    /etc/httpd/conf/ssl.key/snakeoil-ca-dsa.key
missing    /etc/httpd/conf/ssl.key/snakeoil-ca-rsa.key
missing    /etc/httpd/conf/ssl.key/snakeoil-dsa.key
missing    /etc/httpd/conf/ssl.key/snakeoil-rsa.key
missing    /etc/httpd/conf/ssl.prm/snakeoil-ca-dsa.prm
missing    /etc/httpd/conf/ssl.prm/snakeoil-dsa.prm
missing    /var/cache/ssl_gcache_data.dir
missing    /var/cache/ssl_gcache_data.pag
missing    /var/cache/ssl_gcache_data.sem
.M......   /var/www/html/manual/mod/mod_ssl/apache_pb.gif
.M......   /var/www/html/manual/mod/mod_ssl/feather.jpg
.M......   /var/www/html/manual/mod/mod_ssl/index.html
.M......   /var/www/html/manual/mod/mod_ssl/mod_ssl_sb.gif
.M......   /var/www/html/manual/mod/mod_ssl/openssl_ics.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_compat.gfont000.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_compat.html
.M......   /var/www/html/manual/mod/mod_ssl/ssl_cover_logo.jpg
.M......   /var/www/html/manual/mod/mod_ssl/ssl_cover_title.jpg
.M......   /var/www/html/manual/mod/mod_ssl/ssl_faq.gfont000.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_faq.html
.M......   /var/www/html/manual/mod/mod_ssl/ssl_glossary.html
.M......   /var/www/html/manual/mod/mod_ssl/ssl_howto.gfont000.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_howto.html
.M......   /var/www/html/manual/mod/mod_ssl/ssl_intro.gfont000.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_intro.html
.M......   /var/www/html/manual/mod/mod_ssl/ssl_intro_fig1.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_intro_fig2.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_intro_fig3.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_overview.gfont000.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_overview.html
.M......   /var/www/html/manual/mod/mod_ssl/ssl_overview_fig1.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_reference.gfont000.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_reference.html
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.head-chapter.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.head-num-1.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.head-num-2.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.head-num-3.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.head-num-4.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.head-num-5.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.head-num-6.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.head-num-7.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.imgdot-1x1-000000.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.imgdot-1x1-transp.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.navbut-next-n.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.navbut-next-s.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.navbut-prev-n.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.navbut-prev-s.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-abstract.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-compat.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-faq.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-gloss.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-howto.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-intro.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-over.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-preface.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-ref.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-toc.gif
.M......   /var/www/html/manual/mod/mod_ssl/ssl_template.title-tutor.gif
S.5....T c /etc/openldap/ldap.conf
S.5....T c /etc/ldap.conf
..?.....   /usr/bin/sudo
..?..... c /etc/ppp/peers/wvdial
S.5....T   /usr/lib/mozilla/chrome/installed-chrome.txt
S.5....T c /etc/php.ini
S.5....T c /etc/rc.d/init.d/reconfig
.......T   /bin/arch
.......T   /bin/dmesg
.......T   /bin/kill
S.5....T   /bin/login
..?.....   /usr/bin/chfn
..?.....   /usr/bin/chsh
..?.....   /usr/bin/newgrp
..?..... c /var/lib/amanda/.amandahosts
S.?..... c /etc/rndc.conf
S.?..... c /etc/rndc.key
..?.....   /sbin/ipppd
..?..... c /etc/ssh/primes
..?..... c /etc/pam.d/sshd
..?..... c /etc/ssh/sshd_config
S.?....T c /etc/alchemist/namespace/apache/local.adl
..?..... c /etc/alchemist/namespace/apache/rpm.adl
..?..... c /etc/alchemist/switchboard/apache.switchboard.adl
S.5....T   /usr/share/AbiSuite/fonts/fonts.dir
.M...... c /etc/X11/XF86Config-4
..?.....   /usr/X11R6/bin/XFree86
..?.....   /usr/X11R6/bin/Xwrapper
SM5....T   /usr/X11R6/lib/X11/fonts/Speedo/encodings.dir
SM5....T   /usr/X11R6/lib/X11/fonts/Type1/encodings.dir
SM5....T c /usr/X11R6/lib/X11/fonts/100dpi/encodings.dir
S.5....T c /etc/xinetd.d/telnet
md5sum: /var/ftp/bin/*: No such file or directory
grep: /var/ftp/bin/bin.md5: Permission denied
5.......   /var/ftp/bin/*
grep: /var/ftp/lib/libs.md5: Permission denied
5.......   /var/ftp/lib/libc-2.2.4.so
grep: /var/ftp/lib/libs.md5: Permission denied
5.......   /var/ftp/lib/libnsl-2.2.4.so
grep: /var/ftp/lib/libs.md5: Permission denied
5.......   /var/ftp/lib/libnss_files-2.2.4.so
grep: /var/ftp/lib/libs.md5: Permission denied
5.......   /var/ftp/lib/libtermcap.so.2.0.8
S.5....T c /root/.gnome/Background
.......T c /root/.kde/share/config/desktop0rc
.......T c /root/.kde/share/config/desktop1rc
.......T c /root/.kde/share/config/desktop2rc
.......T c /root/.kde/share/config/desktop3rc
.......T c /root/Desktop/www.dell.com.kdelnk
.......T   /usr/share/apps/kfind/icons/locolor/22x22/actions/archive.png
.......T   /usr/share/apps/kfind/icons/locolor/22x22/actions/delete.png
.......T   /usr/share/apps/kfind/icons/locolor/22x22/actions/idea.png
.......T   /usr/share/apps/kfind/icons/locolor/22x22/actions/info.png
.......T   /usr/share/apps/kfind/icons/locolor/22x22/actions/openfile.png
.......T   /usr/share/apps/kfind/icons/locolor/22x22/actions/save.png
.......T   /usr/share/apps/kfind/icons/locolor/22x22/actions/search.png
.......T c /etc/yp.conf
..?.....   /usr/libexec/pt_chown
.......T   /etc/X11/applnk/Documentation/Linux Community/howto.desktop
..?.....   /etc/X11/applnk/System/setuptool.desktop
S.5....T c /etc/crontab
S.5.....   /bin/ls
S.5.....   /usr/bin/dir
S.5.....   /usr/bin/du
S.5.....   /usr/bin/vdir
..?..... c /etc/mgetty+sendfax/dialin.config
..?..... c /etc/mgetty+sendfax/login.config
..?..... c /etc/mgetty+sendfax/mgetty.config
..?.....   /sbin/mgetty
..?.....   /usr/sbin/callback
S.?....T c /etc/ppp/chap-secrets
S.?....T c /etc/ppp/pap-secrets
.......T c /etc/krb5.conf
.M......   /var/www/html/manual/mod/mod_perl.html
.M......   /var/www/html/manual/mod/mod_perl/mod_perl_api.html
.M......   /var/www/html/manual/mod/mod_perl/mod_perl_cgi.html
.M......   /var/www/html/manual/mod/mod_perl/mod_perl_faq.html
.M......   /var/www/html/mrtg/cfgmaker.html
.M......   /var/www/html/mrtg/contrib.html
.M......   /var/www/html/mrtg/faq.html
.M......   /var/www/html/mrtg/forum.html
.M......   /var/www/html/mrtg/index.html
.M......   /var/www/html/mrtg/indexmaker.html
.M......   /var/www/html/mrtg/logfile.html
.M......   /var/www/html/mrtg/mibhelp.html
.M......   /var/www/html/mrtg/mrtg-l.png
.M......   /var/www/html/mrtg/mrtg-m.png
.M......   /var/www/html/mrtg/mrtg-r.png
.M......   /var/www/html/mrtg/mrtg-rrd.html
.M......   /var/www/html/mrtg/mrtg-ti.png
.M......   /var/www/html/mrtg/mrtg.html
.M......   /var/www/html/mrtg/nt-guide.html
.M......   /var/www/html/mrtg/reference.html
.M......   /var/www/html/mrtg/squid.html
.M......   /var/www/html/mrtg/unix-guide.html
.M......   /var/www/html/mrtg/webserver.html
..5....T c /etc/inittab
S.5....T c /etc/rc.d/rc.sysinit
S.5....T c /usr/share/pci.ids
..?..... c /etc/alchemist/namespace/dns/local.adl
..?..... c /etc/alchemist/switchboard/dns.switchboard.adl
S.5....T   /usr/share/bindconf/FwdZone.pyc
S.5....T   /usr/share/bindconf/dnsdata.pyc
S.5....T   /usr/share/bindconf/dnsdata_base.pyc
.M......   /var/www/html/usage/msfree.png
.M......   /var/www/html/usage/webalizer.png
SM5....T c /usr/X11R6/lib/X11/fonts/75dpi/encodings.dir
..?.....   /usr/sbin/in.fingerd
S.5....T c /etc/xinetd.d/talk
..?.....   /usr/sbin/in.ntalkd
.......T c /etc/X11/xdm/Xsetup_0
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
That tends to support my contention that the box has been cracked. Several very important things, ps, top, ls, dir, df, du, & login all show different file sizes (S) and the wrong MD5 checksum (5). Under normal operation there's no reason for those files to be different from what is in the rpm database. But, those files, and others, are always changed when a cracker installs a root kit. In this case I suspect that some script kiddie has used the wrong root kit or otherwise botched the installation. Normally the replaced files appear to work normally but aren't in fact doing what you'd think they should. The purpose of a root kit is to build in a back door for the attacker and to hide his/her activities, hence the changed files. And some root kits also watch for and capture username/passwords.

Yes, the attack could have easily occured since the machine was delivered. It only takes a few minutes to crack a vulnerable system and install a root kit. The only sane thing to do at this point is to disconnect the system from the Internet, back up your data, and reinstall from CD. Then apply all applicable 7.2 updates and harden the system before restoring your data and re-connecting the box to the Internet. We don't know how the system was cracked, but the updates are extremely important to colse security holes.

At the minimum I'd disable all non-essential services (telnet, rsh, rlogin, ftp, etc.) and use ssh instead. If you really have to have an FTP server I'd remove wu-ftp (the default) and replace it with ProFTP or NcFTP. I'd also, as soon as I had the system configured, configure tripwire to watch for intrusion attempts.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
to complete jlevie's comments, have a look at http://www.chkrootkit.org/ for chkrootkit. It's a simple and fast tool to check for rootkits (just these, but much faster than tripwire).
0
 

Author Comment

by:coreyuf
Comment Utility
Ok I ran chkrootkit - here's what it came up with:

[root@WEBSERV chkrootkit-0.35]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... INFECTED
Checking `inetd'... ./chkrootkit: /bin/ps: No such file or directory
not infected
Checking `inetdconf'... not found
Checking `identd'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... INFECTED
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... INFECTED
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not infected
Checking `rshd'... not infected
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... ./chkrootkit: /bin/ps: No such file or directory
not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... ./chkrootkit: /bin/ps: No such file or directory
not infected
Checking `top'... INFECTED
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `write'... not infected
Checking `aliens'...
/dev/caca /dev/dsx
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/File/MMagic/.packlist /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/NKF/.packlist /usr/lib/perl5/5.6.0/i386-linux/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... ./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
./chkrootkit: /bin/netstat: No such file or directory
not infected
Checking `lkm'... not tested: can't exec ./chkproc
Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `z2'... not tested: can't exec ./chklastlog


I am assuming the INFECTED statements confirm a security breach.  UGH!  Is this a common occurrence in Red Hat Operating Systems?  As mentioned, this is a very new server.  I can switch to an NT server OS pretty easily - I am no Linux expert and I am thinking that I got in over my head trying to administer one.  I have alot of experience with Unix and thought it would be similar.  What would you recommend?  Thanks a million for all your help!!
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
hmm, sounds like chkrootkit prooves what jlevie assumed.

You may get rid of the rootkit with a fresh install.
If your warry about installing from scratch, which is the safest way, you may try to copy all (means ALL, infected or not) the files listed by chkrootkit from a save media. Keep in mind that you use a reliable instanc of the copy program too. Then you also need to check your config files (which? depends on your system, at least /etc/inetd.conf) for unexpected modifications, and for scripts started at boot.

Better you go with a install.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
Comment Utility
Yep, it's been cracked.

And no, it's not a normal occurance if the system is set up and maintained properly. My guess would be that the systems was cracked via one of the "well known vulnerabilities' that existed in some component of the base 7.2 installation or as a result of less than optimal system configuration. Of course at this point it is just a guess as to how the attacker got in.

Remember that any OS can have vulnerable components. In the case of 7.2 there were several components that could/would have been loaded when the OS installed that were found to be vulnerable after the CD's were mastered. Fixes for all known vulnerabilities are available from RedHat in the errata for 7.2 (and all other versions). That's why it's important to apply all applicable updates to the OS, just like applying the service packs and security updates to a windows box. RedHat makes it pretty easy to keep a system up to date via up2date. Or you can manually accomplish the same thing by downloading the errata and applying them. I have to use the later method because I've got a number of systems that aren't allowed to ever connect to the Internet. And because I have to do it for some I use that method for all.

Now, I'm not trying to start a religious war, but I've found Linux to be a more secure OS than windows if the sysadmin does his job right. Vulnerabilities in Linux tend, for the most part, to be found and fixed before attackers discover how to use them. I think most of that is due to the fact that the sources are freely available for examination. In contrast, quite a number of windows security problems are only found after crackers have started exploiting them.

Before I place a new system in production, or allow it to see the Internet, I'll harden the box by disabling unneeded or insecure services and I'll apply a current set of errata. I've been managing RedHat servers for a long time and so far no server, RedHat, Solaris, or Irix that I've managed has ever been cracked. According to my intrusion detection systems there's been lots of attempts, but no successes. So it can be done.
0
 
LVL 3

Expert Comment

by:hnminh
Comment Utility
Did you check the /etc/pwdb.conf file? the content should be something like:

#================================
user:
        unix+shadow
        nis+unix+shadow

group:
        unix+shadow
        nis+unix+shadow
#================================

0
 

Expert Comment

by:CleanupPing
Comment Utility
coreyuf:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 1

Expert Comment

by:drewber
Comment Utility
This question has been classified abandoned. I will make a recommendation to the moderators on its resolution in a week or two. I appreciate any comments that would help me to make a recommendation.
 

Unless it is clear to me that the question has been answered I will recommend delete. It is possible that a Grade less than A will be given if no expert makes a case for an A grade. It is assumed that any participant not responding to this request is no longer interested in its final disposition.

 
If the user does not know how to close the question, the options are here:
http://www.experts-exchange.com/help/closing.jsp
 
drewber
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now