[PLUG] login weirdness
Bill Barry
barryb at proaxis.com
Mon Mar 9 01:19:35 UTC 2009
On Thu, Mar 5, 2009 at 5:07 AM, Russell Senior <seniorr at aracnet.com> wrote:
>
> On one of my desktop boxes this evening I observed something
> unsettling. The box had been rebooted because of a freeze (I think
> due to an inadvertent ssh session in X, but I wasn't present, so I'm
> not certain). Box came back up in memtest86 (inexperienced hands
> probably were responsible), and I rebooted when I returned home.
>
> However, when I rebooted and logged in, I wasn't prompted for a
> password:
>
> login: russell
> $
>
> What the ...???
>
> Even more disturbingly, su took me right to a root prompt. The
> /etc/passwd and /etc/shadow appear to be intact. I immediately
> assumed the worst and unplugged it from the network, booted a live-cd
> and did some trolling through the filesystems. I found evidence in
> /var/log/auth.log that two or three ssh-knockers had logged in as
> root, but within a minute had logged out again. I disregarded all the
> cool forensics stuff I learned at PLUG a month ago.
>
> I ran chkrootkit which came back clean, but ... clearly something is
> haywire. I strace'd a getty and all it exec'd is login and then a
> shell. The md5sum of /bin/login matches what shows in the
> /var/lib/dpkg/info/login.md5sums file.
>
> What explains the weird passwordless logins?
>
> Clues? Ideas?
>
>
>
I had this exact same thing occur to me yesterday. I first noticed it when
su took me directly to root.
Having seen this thread, I went though the backups for the last few days and
noticed that several files in /etc/pam.d had been updated during a normal
debian upgrade. The files were
etc/pam.d/common-account
etc/pam.d/common-auth
etc/pam.d/common-password
etc/pam.d/common-session
I restored these files from the backup and the problem disappeared. As far
as I can tell this was not caused by any malice, but was caused by a
packaging problem.
Bill
More information about the PLUG
mailing list