Root password, rooted box

Post #111,601 by kmself 7/26/03 9:33:24 PM Reply	Root password, rooted box Glen: try a meaningful subject line. \r\n\r\n [link\|http://z.iwethey.org/forums/render/content/show?contentid=100252\|As I said] the last time someone asked this question, this is a FAQ, you can Google the answer readily, and the question is answered, under the subject "root password recovery", here. Short answer: boot single, or with a shell as your init. \r\n\r\n Answering the other part of your question, as Rick suggests, performing forensics from a potentially compromised system is a rather charming exercise in misplaced trust. I'd strongly recommend keeping a bootable disk (viz: Knoppix, lnx-bbc) around for just this purpose, though a known-good `sash` shell may be useful. Simply changing your passwords won't do much good if the hole's still there. \r\n\r\n Debian does provide a tool to look for rootkit residues, called `chkrootkit`. I'd recommend installing it and running it daily or better. \r\n\r\n Rick can probably give (or point to) better resources on post-crack (or suspected hack) cleanup. I thought there was a HOWTO/Mini-HOWTO on the topic but cannot find one presently (searches are slow over a currently slammed 56k dialup). I can, however, think of [link\|http://twiki.iwethey.org/\|a good place to put info]. Installing from known good backups, or reinstalling all packages (and wiping any odd binaries) is strongly recommended. I'm currently doing (among other things) a reinstall of packages to ensure that any cruftiness left over from an unintentional wipe of my root partition is cleaned up. Under Debian: `apt-get install -du --reinstall $( dpkg -S /etc )` is a first-pass approximation. Some incompatibilities and deadlocks force an incremental approach. \r\n --\r\n Karsten M. Self [link\|mailto:kmself@ix.netcom.com\|kmself@ix.netcom.com]\r\n [link\|http://kmself.home.netcom.com/\|http://kmself.home.netcom.com/]\r\n What part of "gestalt" don't you understand?\r\n [link\|http://twiki.iwethey.org/twiki/bin/view/Main/\|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever.\r\n \r\n Keep software free. Oppose the CBDTPA. Kill S.2048 dead.\r\n[link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html]\r\n
Post #111,615 by rickmoen 7/27/03 5:25:39 AM Reply	Re: Root password, rooted box Concur -- but, again, the first question I'd ask is whether Glen is trying to solve the right problem: It's really not at all clear from the cited symptoms that his box has been compromised. Changing the root password (accidentally or on purpose) and then forgetting having done so for quite some time would bring about the exact same situation. That aside, the question of how you tell whether or not your system has been compromised is an interesting one: It turns out that there's no general solution, and it's always a possibility that you're operating a compromised box but just can't detect any signs. Generally speaking, the bad guys break in because they want to do something, and so you find them by noticing something going on that shouldn't be, e.g., a sudden shortage of disk space or bandwidth that you can't account for even after careful inspection -- or weird network services that seem to be in operation when you probe the system using nmap from elsewhere on the network. But lack of such evidence just inherently isn't (and cannot be) definitive. You should already have the ability to recover completely from such compromise. Period. If you have to live in fear of "hackers" [sic] because of lack of current, reliable backups and a realistic plan to restore from them, then the latter (lack) should be your top priority as a problem to fix, not "hackers'. After all, hardware failure -- always a strong possibility -- would face you with pretty much the same problem. If you ever do become reasonably convinced that you've suffered root compromise, the only safe thing to do is cut power on the system immediately, then reboot the system from write-protected maintenance media long enough to confirm the symptoms and secure safety copies of any files you care about, then rebuild the system solely from trusted installation media, carefully not reusing any of the system's binaries, libraries, scripts, configuration files, or dotfiles. System configuration should be reconstructed by examining copies of the compromised system's configuration files, but not directly reusing any of them (because they cannot be trusted). When the system has been reconstructed, but before it's connected to public networks, you should apply all needed patches and updates so you can be confident in its security profile, and should issue new passwords to all logins and not let users back in until you've talked to them individually (about what they should and should not do, to keep the bad guys from getting back in). Ideally, you should have a high-probability guess about the exact method of compromise, and have acted to insure that the hole has been closed, before re-connecting the system to the outside world. Recovery from root compromise must be done carefully and systematically, or you'll end up doing it multiple times until you get it right. Rick Moen rick@linuxmafia.com If you lived here, you'd be $HOME already.
Post #111,632 by kmself 7/27/03 3:22:47 PM Reply	Forensics By encompassing "suspected hack", I was implying forensic analysis to determine whether or not the box actually had been compromised. And while Rick's advice is strictly true, the operational case is generally that you're dealing with a script kiddie using a prebuilt attack -- the type which chkrootkit might be able to pick up (if not from your installed system then from recovery media). As I indicated, this is sorely deserving of a [link\|http://twiki.iwethey.org/\|TWIT] topic. --\r\n Karsten M. Self [link\|mailto:kmself@ix.netcom.com\|kmself@ix.netcom.com]\r\n [link\|http://kmself.home.netcom.com/\|http://kmself.home.netcom.com/]\r\n What part of "gestalt" don't you understand?\r\n [link\|http://twiki.iwethey.org/twiki/bin/view/Main/\|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever.\r\n \r\n Keep software free. Oppose the CBDTPA. Kill S.2048 dead.\r\n[link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html]\r\n
Post #111,681 by rickmoen 7/28/03 4:34:01 AM Reply	Re: Forensics A reasonable approach. Finding evidence of break-in is of course more likely to be meaningful than finding no (real) evidence. I was mostly addressing the latter case, which is what we have been presented, so far. ("The password I think I used to use doesn't work" doesn't qualify as real evidence.) I would be at least a little wary of false positives from chkrootkit scripts: If the thing gives its opinion that there's a rootkit installed, then adopt a usefully skeptical attitude, and examine the alleged rootkit for yourself. And of course don't forget that there's no reason an intruder would have to install a rootkit in the first place: Those are merely mechanisms to conceal the intruder's on-system activity, which many intruders just don't bother with in the first place. And there's good reason to beware of false negatives, as well: You're running a system-checking script on a suspect system, and you're willing to trust the results? Really? Does the script use only executables provided with it, and none of the system's own? Do any of the executables invoke (necessarily suspect) system libraries? Did you use any (necessarily suspect) system tools to gain access to the script? And you trust that none of those system facilities would be so evil as to interfere with the system-checking script? As I said, checking the state of a running system that you suspect of root compromise is a non-trivial problem. Throwing chkrootkit scripts at it doesn't make the obstacles go away. Real forensics get run from altnerate boot media, never trusting (and never running) any binary, library, or configuration file on the suspect system. Rick Moen rick@linuxmafia.com If you lived here, you'd be $HOME already.
Post #111,646 by gdaustin 7/27/03 7:07:26 PM Reply	Exactly what I did... I just ended up figuring out myself, by looking at the system init scripts. The good news is that I know a lot more about how Linux starts up now. Now, I'm curious to study it more and figure out more. Took about 3 hours to figure it out, then 10 minutes to fix. Then I was off to College Station, TX (Home of Texas A&M University) to pick up my wife and kids. Glen Austin

Welcome to IWETHEY!