Find the answer to your Linux question:
Results 1 to 6 of 6
Hi all I found a file in /usr/games/ which was a log of all successful logins. User name and password got loged in plain text. Due to this plain text ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2010
    Location
    Dalem, France
    Posts
    3

    Logins got loged in plain text


    Hi all
    I found a file in /usr/games/ which was a log of all successful logins.
    User name and password got loged in plain text.

    Due to this plain text passwords I considered sshd to be compromised and reinstalled the system to be sure there's no backdoor left.

    Did anyone of you experienced something like this?

    I couldn't find out how the logfile got back to the intruder.
    No suspicious entries in /etc/[passwd|group|shadow].
    No cronjobs. No open ports and nothing in mail.log

    best regards
    Michael

  2. #2
    Just Joined!
    Join Date
    Aug 2009
    Posts
    83
    Quote Originally Posted by mjbohn View Post
    I couldn't find out how the logfile got back to the intruder.
    No suspicious entries in /etc/[passwd|group|shadow].
    No cronjobs. No open ports and nothing in mail.log
    Unless you made a bit-by-bit backup of the whole disk you can still examine, these questions make sense only if you ask them prior to reinstalling the system.

    * BTW, I hope "reinstalling the system" for you means completely reinstalling the system (not only re-installing OpenSSH). Since compromising sshd means root account rights you're strongly suggested to change all passwords on this machine (also check adjacent machines this one has access to), and not run any (publicly) accessible services until you properly hardened the machine. A basic post-incident outline you can find here if you need it: CERT/CC: Steps for Recovering from a UNIX or NT System Compromise, else feel free to ask specific questions.

  3. #3
    Just Joined!
    Join Date
    Mar 2010
    Location
    Dalem, France
    Posts
    3
    Thanks for your answer

    Quote Originally Posted by unspawn View Post
    Unless you made a bit-by-bit backup of the whole disk you can still examine, these questions make sense only if you ask them prior to reinstalling the system.
    Yes I know. I was just curious how this works. I guess the fake sshd did all the work. Sending back logs and providing backdoor.

    And yes I did a complete reinstall
    Now rkhunter, logwatch and fail2ban are helping me. I'm also thinking about using Samhain IDS. But that might be a bit over-sized for just a webserver

  4. #4
    Just Joined!
    Join Date
    Aug 2009
    Posts
    83
    Quote Originally Posted by mjbohn View Post
    I guess
    ...and that's the problem. Without files, file names, logs the only thing that remains is guessing. Personally I'd rather deal with "evidence".

    And your sshd may have been replaced as part of some kit but that does not automagically mean that the compromise happened through SSH as well. You may have ran something else that let the dogs in. In the kits I know about any component that will do logging will keep it stored in a local file for later retrieval, not send it.


    Quote Originally Posted by mjbohn View Post
    Now rkhunter, logwatch and fail2ban are helping me. I'm also thinking about using Samhain IDS. But that might be a bit over-sized for just a webserver
    In contrast to say Aide or tripwire (*shudder*), Samhain is an active integrity checker as it will schedule its own checks. While it can be used for a lot more it can easily alert you on say files dropped in your webservers docroot or directories holding temporary files. PHP still is one of the usual suspects. If you run it then you'll also want to run mod_security, maybe patch your Logwatch with something like this, and harden the server wherever you can. I hope that (next to all the docs your distro already may offer) you've got some good docs to guide you wrt hardening?

  5. #5
    Just Joined!
    Join Date
    Mar 2010
    Location
    Dalem, France
    Posts
    3
    Quote Originally Posted by unspawn View Post
    In contrast to say Aide or tripwire (*shudder*), Samhain is an active integrity checker as it will schedule its own checks.
    OK I gonna get familiar with Samhain. Are you using it?
    So I could probably come back with questions in case I need to?

  6. #6
    Just Joined!
    Join Date
    Aug 2009
    Posts
    83
    Quote Originally Posted by mjbohn View Post
    OK I gonna get familiar with Samhain.
    Cool.


    Quote Originally Posted by mjbohn View Post
    Are you using it?
    Yes, among other tools.


    Quote Originally Posted by mjbohn View Post
    So I could probably come back with questions in case I need to?
    Sure, NP.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •