Budnev Vladimir
2012-Jun-18 13:32 UTC
(Free 7.2) "su -l" didnt prompt password.Is it possbile?
Hello everyone. We'v noticed some strange situation. After reboot and login, system didn't ask for password while switchig with su -l. In details, there was root login from terminal and one from ssh. Terminal login was directly as root(via ip-console), and ssh was as user, then attemped switch to root with su -l, and there were NO password request,no prompt at all. At the same time login from terminal accepted root password, first I thought that means password wasn't empty, but system even with empty password should print "Password:"..and that time it was nothing absolultey. We even logged out and then su -l again. And It looked such way: %su -l St-serv# St-serv# exit %su -l St-serv# We'v been shocked and hurried a bit and changed root password without /etc/master.passwd backup for explorations. After chagning password we cant no reprocude such behaviour. It's also should be noticed that system was booting after unsafe power shutdown, and there was fs-check running in background(accroding to logs), corrected cleared some files(searching by inum resulted to nothing). sysctl -a gave such string: <118>Starting background file system checks in 60 seconds. <118> and in /var/log/messages we could see: Jun 15 14:57:39 St-serv kernel: em0: link state changed to UP Jun 15 14:57:49 St-serv login: ROOT LOGIN (root) ON ttyv0 Jun 15 14:58:47 St-serv fsck: /dev/ad0s1e: 71 files, 11 used, 2538508 free (84 frags, 317303 blocks, 0.0% fragmentation) Jun 15 15:02:31 St-serv fsck: /dev/ad0s1f: 264646 files, 1378041 used, 60368113 free (43545 frags, 7540571 blocks, 0.1% fragmentation) Jun 15 15:03:31 St-serv su: zimmer to root on /dev/ttyp0 Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT I=1931747 (897632 should be 897600) (CORRECTED) Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT I=1931748 (1865184 should be 1865120) (CORRECTED) Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT I=2284637 (4 should be 0) (CORRECTED) Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT I=2284713 (4 should be 0) (CORRECTED) Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: UNREF FILE I=23557 OWNER=root MODE=100644 Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: SIZE=0 MTIME=Jun 9 18:51 2012 (CLEARED) Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: UNREF FILE I=1931319 OWNER=root MODE=100640 Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: SIZE=728 MTIME=Jul 26 17:37 2011 (CLEARED) <...> I'v googled and found only one thread with su didnt'asking for password, that one was abut jails, but this time we have a 100% garanty that we didnt put any virtual enviroments. So the thing that scares is, mb this is symptop of server rootkit? (We'v found nothing unusual in logs but it means nothing...) Or there is some other explanation why su could not ask password? Thanks in advance PS Duplicated question to freebsd-questions and freebsd-security because unsure which one it should be send.
Budnev Vladimir
2012-Jun-18 14:41 UTC
(Free 7.2) "su -l" didnt prompt password.Is it possbile?
18.06.2012 18:32, Chris Rees ???????:> > > On Jun 18, 2012 2:34 PM, "Budnev Vladimir" <vladimir.budnev@gmail.com > <mailto:vladimir.budnev@gmail.com>> wrote: > > > > Hello everyone. > > We'v noticed some strange situation. After reboot and login, system > didn't ask for password while switchig with su -l. > > > > In details, there was root login from terminal and one from ssh. > > Terminal login was directly as root(via ip-console), and ssh was as > user, then attemped switch to root with su -l, and there were NO > password request,no prompt at all. At the same time login from > terminal accepted root password, first I thought that means password > wasn't empty, but system even with empty password should print > "Password:"..and that time it was nothing absolultey. > > Empty password behaviour is for no prompt, so what you are seeing is > normal, and means that you did indeed have a empty password. >Interesintg could it be that master.passwd file corrupted (after power shutdown) and fsck corrected in background.. which resulted in such behaviour. The strange thing with possibly empty password is that login from ip-console accepted correct password. So dont sure about empty...It seems like su was accepting any password at that time.> > Check your logs very carefully over the past few weeks to make sure no > one has broken in. >Yeah, seems we are forced to mount disks to another system and check for changes in critical system tools. Argh....and then anyway redeploy system.> > Chris >
Jason Hellenthal
2012-Jun-18 14:43 UTC
(Free 7.2) "su -l" didnt prompt password.Is it possbile?
On Mon, Jun 18, 2012 at 05:31:54PM +0400, Budnev Vladimir wrote:> Hello everyone. > We'v noticed some strange situation. After reboot and login, system > didn't ask for password while switchig with su -l. > > In details, there was root login from terminal and one from ssh. > Terminal login was directly as root(via ip-console), and ssh was as > user, then attemped switch to root with su -l, and there were NO > password request,no prompt at all. At the same time login from terminal > accepted root password, first I thought that means password wasn't > empty, but system even with empty password should print "Password:"..and > that time it was nothing absolultey. We even logged out and then su -l > again. > > And It looked such way: > > %su -l > St-serv# > St-serv# exit > %su -l > St-serv# > > We'v been shocked and hurried a bit and changed root password without > /etc/master.passwd backup for explorations. > After chagning password we cant no reprocude such behaviour. > > It's also should be noticed that system was booting after unsafe power > shutdown, and there was fs-check running in background(accroding to > logs), corrected cleared some files(searching by inum resulted to nothing). > > sysctl -a gave such string: > <118>Starting background file system checks in 60 seconds. > <118> > > and in /var/log/messages we could see: > Jun 15 14:57:39 St-serv kernel: em0: link state changed to UP > Jun 15 14:57:49 St-serv login: ROOT LOGIN (root) ON ttyv0 > Jun 15 14:58:47 St-serv fsck: /dev/ad0s1e: 71 files, 11 used, 2538508 > free (84 frags, 317303 blocks, 0.0% fragmentation) > Jun 15 15:02:31 St-serv fsck: /dev/ad0s1f: 264646 files, 1378041 used, > 60368113 free (43545 frags, 7540571 blocks, 0.1% fragmentation) > Jun 15 15:03:31 St-serv su: zimmer to root on /dev/ttyp0 > Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT > I=1931747 (897632 should be 897600) (CORRECTED) > Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT > I=1931748 (1865184 should be 1865120) (CORRECTED) > Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT > I=2284637 (4 should be 0) (CORRECTED) > Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT > I=2284713 (4 should be 0) (CORRECTED) > Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: UNREF FILE I=23557 > OWNER=root MODE=100644 > Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: SIZE=0 MTIME=Jun 9 18:51 > 2012 (CLEARED) > Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: UNREF FILE I=1931319 > OWNER=root MODE=100640 > Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: SIZE=728 MTIME=Jul 26 17:37 > 2011 (CLEARED) > <...> > > > I'v googled and found only one thread with su didnt'asking for password, > that one was abut jails, but this time we have a 100% garanty that we > didnt put any virtual enviroments. > > So the thing that scares is, mb this is symptop of server rootkit? (We'v > found nothing unusual in logs but it means nothing...) Or there is some > other explanation why su could not ask password? >The only thing I can think of ATM is .. did you recently perform and upgrade from source with this system ? mergemaster ? The reason why I ask is that when doing such things the master.passwd is compared to the default master.passwd which has no passowrd set. If a merge when wrong then there is a possibility that it was set back to defaults by accident. I also see that your system booted up and did a fsck(8). There is a chance that something wierd happened here as well.> > Thanks in advance > > PS Duplicated question to freebsd-questions and freebsd-security because > unsure which one it should be send. > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"-- - (2^(N-1))
On Jun 18, 2012 2:34 PM, "Budnev Vladimir" <vladimir.budnev@gmail.com> wrote:> > Hello everyone. > We'v noticed some strange situation. After reboot and login, systemdidn't ask for password while switchig with su -l.> > In details, there was root login from terminal and one from ssh. > Terminal login was directly as root(via ip-console), and ssh was as user,then attemped switch to root with su -l, and there were NO password request,no prompt at all. At the same time login from terminal accepted root password, first I thought that means password wasn't empty, but system even with empty password should print "Password:"..and that time it was nothing absolultey. Empty password behaviour is for no prompt, so what you are seeing is normal, and means that you did indeed have a empty password. Check your logs very carefully over the past few weeks to make sure no one has broken in. Chris