[PLUG] login weirdness

Bill Barry barryb at proaxis.com
Mon Mar 9 01:19:35 UTC 2009


On Thu, Mar 5, 2009 at 5:07 AM, Russell Senior <seniorr at aracnet.com> wrote:

>
> On one of my desktop boxes this evening I observed something
> unsettling.  The box had been rebooted because of a freeze (I think
> due to an inadvertent ssh session in X, but I wasn't present, so I'm
> not certain).  Box came back up in memtest86 (inexperienced hands
> probably were responsible), and I rebooted when I returned home.
>
> However, when I rebooted and logged in, I wasn't prompted for a
> password:
>
>  login: russell
>  $
>
> What the ...???
>
> Even more disturbingly, su took me right to a root prompt.  The
> /etc/passwd and /etc/shadow appear to be intact.  I immediately
> assumed the worst and unplugged it from the network, booted a live-cd
> and did some trolling through the filesystems.  I found evidence in
> /var/log/auth.log that two or three ssh-knockers had logged in as
> root, but within a minute had logged out again.  I disregarded all the
> cool forensics stuff I learned at PLUG a month ago.
>
> I ran chkrootkit which came back clean, but ... clearly something is
> haywire.  I strace'd a getty and all it exec'd is login and then a
> shell.  The md5sum of /bin/login matches what shows in the
> /var/lib/dpkg/info/login.md5sums file.
>
> What explains the weird passwordless logins?
>
> Clues?  Ideas?
>
>
>
I had this exact same thing occur to me yesterday.   I first noticed it when
su took me directly to root.
Having seen this thread, I went though the backups for the last few days and
noticed that several files in /etc/pam.d had been updated during a normal
debian upgrade. The files were
etc/pam.d/common-account
etc/pam.d/common-auth
etc/pam.d/common-password
etc/pam.d/common-session

I restored these files from the backup and the problem disappeared. As far
as I can tell this was not caused by any malice, but was caused by a
packaging problem.

Bill



More information about the PLUG mailing list