Root Permissions

Hi,
The following problem may be trivial to some of you, however my
knowledge of linux is limited, and I dont understand how can it be
done.
In our institute, we use Debian Linux, and the boot loader is lilo.
For those machines where the lilo password is not set, ANY ONE can
get a root shell by simply interrupting the boot process and typing
linux init=/bin/sh in the boot prompt.
One of my friends obtained a root shell in this manner, and has
either made some changes, or set up some program, by which he can
become root any time, without acutally knowing the root password,
which is known only to our system administrator. What may be the
possible things he has done to setup his program, and how can it be
reversed ?
Thanks in advance.
Anindya Mozumdar.
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Root Permissions

Hello Anindya,

The only surefire way of recovering from this is to rebuild the
machines from scratch. He could have installed several backdoors into
the system and no matter how many you find (if any) there will almost
certainly be more.

In fact, replacing netstat, ps etc with modified binaries which are
standard with "root-kits" he pretty much guarantees that you will not
even be able to see the process(es) that he installed that listen on
some other port for incoming connections.

So... if I were in your place, I would most certainly rebuild from scratch.

And oh... use a LILO password.

All you need to add are two lines:

password=
restricted

to the LILO global config section in /etc/lilo.conf. The restricted
keyword will allow normal boot but will prompt you for the password
specified if you attempt to pass lilo any parameters at bootup.

Be sure to run lilo after making changes to /etc/lilo.conf, also since
the password is in clear text, make sure lilo.conf is not readable by
anyone except root.

chmod 600 /etc/lilo.conf

Regards,

Ahsan Ali

On Thu, 1 Jul 2004 10:34:25 +0530, Anindya Mozumdar wrote:
>
> Hi,
> The following problem may be trivial to some of you, however my
> knowledge of linux is limited, and I dont understand how can it be
> done.
> In our institute, we use Debian Linux, and the boot loader is lilo.
> For those machines where the lilo password is not set, ANY ONE can
> get a root shell by simply interrupting the boot process and typing
> linux init=/bin/sh in the boot prompt.
> One of my friends obtained a root shell in this manner, and has
> either made some changes, or set up some program, by which he can
> become root any time, without acutally knowing the root password,
> which is known only to our system administrator. What may be the
> possible things he has done to setup his program, and how can it be
> reversed ?
> Thanks in advance.
> Anindya Mozumdar.
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Root Permissions

0

Funny friends you have!:)
If you cannot install debian from scratch in the specific box[es] in
short time as Ahsan Alii suggested , i would suggest you make a fresh
installation of the operating system to another box
and take the md5 checksums of some critical binaries like /bin/* /sbin/* etc
(md5sum /bin/* /sbin/* /usr/local/sbin/* etc etc >new)and then compare
them with the checksums of the 'copromised' box.Its generally a good idea
to take checksums from almost everything when you do a fresh install so
you can have a better view/clue afterwards.

> Hello Anindya,
>
> The only surefire way of recovering from this is to rebuild the
> machines from scratch. He could have installed several backdoors into
> the system and no matter how many you find (if any) there will almost
> certainly be more.
>
> In fact, replacing netstat, ps etc with modified binaries which are
> standard with "root-kits" he pretty much guarantees that you will not
> even be able to see the process(es) that he installed that listen on
> some other port for incoming connections.
>
> So... if I were in your place, I would most certainly rebuild from
> scratch.
>
> And oh... use a LILO password.
>
> All you need to add are two lines:
>
> password=
> restricted
>
> to the LILO global config section in /etc/lilo.conf. The restricted
> keyword will allow normal boot but will prompt you for the password
> specified if you attempt to pass lilo any parameters at bootup.
>
> Be sure to run lilo after making changes to /etc/lilo.conf, also since
> the password is in clear text, make sure lilo.conf is not readable by
> anyone except root.
>
> chmod 600 /etc/lilo.conf
>
> Regards,
>
> Ahsan Ali
>
> On Thu, 1 Jul 2004 10:34:25 +0530, Anindya Mozumdar
> wrote:
>>
>> Hi,
>> The following problem may be trivial to some of you, however my
>> knowledge of linux is limited, and I dont understand how can it be
>> done.
>> In our institute, we use Debian Linux, and the boot loader is lilo.
>> For those machines where the lilo password is not set, ANY ONE can
>> get a root shell by simply interrupting the boot process and typing
>> linux init=/bin/sh in the boot prompt.
>> One of my friends obtained a root shell in this manner, and has
>> either made some changes, or set up some program, by which he can
>> become root any time, without acutally knowing the root password,
>> which is known only to our system administrator. What may be the
>> possible things he has done to setup his program, and how can it be
>> reversed ?
>> Thanks in advance.
>> Anindya Mozumdar.
>> -
>> To unsubscribe from this list: send the line "unsubscribe linux-admin"
>> in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>


--
Alexander Economou
GNET NOC
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Root Permissions

Hi,
Probably I framed the question badly, so everyone has misunderstood
what I asked. I am not at all interested in reinstalling or
preventing my friend from doing what he wants. I wanted to know what
he may have possibly setup so that he can become root any time, so
that I can do the same. And I wanted to know how it can be reversed,
so that my own system is protected from such attacks.
Thanks.
Anindya.

On Thu, Jul 01, 2004 at 10:34:25AM +0530, Anindya Mozumdar wrote:
> Hi,
> The following problem may be trivial to some of you, however my
> knowledge of linux is limited, and I dont understand how can it be
> done.
> In our institute, we use Debian Linux, and the boot loader is lilo.
> For those machines where the lilo password is not set, ANY ONE can
> get a root shell by simply interrupting the boot process and typing
> linux init=/bin/sh in the boot prompt.
> One of my friends obtained a root shell in this manner, and has
> either made some changes, or set up some program, by which he can
> become root any time, without acutally knowing the root password,
> which is known only to our system administrator. What may be the
> possible things he has done to setup his program, and how can it be
> reversed ?
> Thanks in advance.
> Anindya Mozumdar.
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
------------------------------------------------------------ -------------------

Anindya Mozumdar
anindya (at) cmi (dot) ac (dot) in

"Bad language isn't second nature to me - it's first. Bad language and bad
behaviour. It's a f****** winning combination, you've got to admit."
- Ozzy Osbourne
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

RE: Root Permissions

www.chkrootkit.org

The above mentioned util will find any rootkits (well, the ones that we
currently know about) and sniffer logs. Shoud be what you are looking for.

Rootkits are fairly easy to find but it is script kiddie behaviour.
I take it you are not involved in administrating these machines at your
institute ?

Craig


-----Original Message-----
From: Anindya Mozumdar [mailto:anindya@cmi.ac.in]
Sent: 01 July 2004 09:43
To: linux-admin@vger.kernel.org
Subject: Re: Root Permissions


Hi,
Probably I framed the question badly, so everyone has misunderstood
what I asked. I am not at all interested in reinstalling or
preventing my friend from doing what he wants. I wanted to know what
he may have possibly setup so that he can become root any time, so
that I can do the same. And I wanted to know how it can be reversed,
so that my own system is protected from such attacks.
Thanks.
Anindya.

On Thu, Jul 01, 2004 at 10:34:25AM +0530, Anindya Mozumdar wrote:
> Hi,
> The following problem may be trivial to some of you, however my
> knowledge of linux is limited, and I dont understand how can it be
> done.
> In our institute, we use Debian Linux, and the boot loader is lilo.
> For those machines where the lilo password is not set, ANY ONE can
> get a root shell by simply interrupting the boot process and typing
> linux init=/bin/sh in the boot prompt.
> One of my friends obtained a root shell in this manner, and has
> either made some changes, or set up some program, by which he can
> become root any time, without acutally knowing the root password,
> which is known only to our system administrator. What may be the
> possible things he has done to setup his program, and how can it be
> reversed ?
> Thanks in advance.
> Anindya Mozumdar.
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
------------------------------------------------------------ ----------------
---

Anindya Mozumdar
anindya (at) cmi (dot) ac (dot) in

"Bad language isn't second nature to me - it's first. Bad language and bad
behaviour. It's a f****** winning combination, you've got to admit."
- Ozzy Osbourne
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Root Permissions

Haha. I think the question you want to ask is "How can I hack someone's
linux box?"

----- Original Message -----
From: "Anindya Mozumdar"
To:
Sent: Thursday, July 01, 2004 4:42 AM
Subject: Re: Root Permissions


> Hi,
> Probably I framed the question badly, so everyone has misunderstood
> what I asked. I am not at all interested in reinstalling or
> preventing my friend from doing what he wants. I wanted to know what
> he may have possibly setup so that he can become root any time, so
> that I can do the same. And I wanted to know how it can be reversed,
> so that my own system is protected from such attacks.
> Thanks.
> Anindya.

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Root Permissions

Anindya Mozumdar escribi=F3:

>Hi,
> Probably I framed the question badly, so everyone has misunderstood
> what I asked. I am not at all interested in reinstalling or
> preventing my friend from doing what he wants. I wanted to know wha=
t
> he may have possibly setup so that he can become root any time, so
> that I can do the same. And I wanted to know how it can be reversed=
,
> so that my own system is protected from such attacks.
> =20
>
Then try to join a hacking mailing list, this mailing list might not be
the kind of list you are looking for. Using tools and programs that you
dont know what they do (at least roughly) just to become root in a
system, as Crag has said is a script kiddie behaviour...

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Root Permissions

Even with a LILO password, it's still rather easy to bypass. You can
easily stick in a bootable CD and get into the machine without a
password (I've done this for recovery more than once). And a BIOS
password is just another bump in the road for anyone wanting to hack a
machine, takes 30 seconds and a screwdriver to get around that (unless
the case has thumb screws, then just 30 seconds). Basically, if someone
has physical access to the machine, there will always be a way to get
access. You can keep your data fairly safe with an encrypted filesystem,
but the machine has to boot from something, so there is always something
that can be compromised.

Also, there's a project called tripwire that you can use to detect
changes to your system. Encrypt the verification files that this program
generates, or store them somewhere other than the local system's hdd.
It's also not a bad idea to keep very sensitive files (like your private
encryption keys) on some kind of removable media; a usb thumb drive or
similar would do the trick.

~Brad

Ahsan Ali wrote:
> Hello Anindya,
>
> The only surefire way of recovering from this is to rebuild the
> machines from scratch. He could have installed several backdoors into
> the system and no matter how many you find (if any) there will almost
> certainly be more.
>
> In fact, replacing netstat, ps etc with modified binaries which are
> standard with "root-kits" he pretty much guarantees that you will not
> even be able to see the process(es) that he installed that listen on
> some other port for incoming connections.
>
> So... if I were in your place, I would most certainly rebuild from scratch.
>
> And oh... use a LILO password.
>
> All you need to add are two lines:
>
> password=
> restricted
>
> to the LILO global config section in /etc/lilo.conf. The restricted
> keyword will allow normal boot but will prompt you for the password
> specified if you attempt to pass lilo any parameters at bootup.
>
> Be sure to run lilo after making changes to /etc/lilo.conf, also since
> the password is in clear text, make sure lilo.conf is not readable by
> anyone except root.
>
> chmod 600 /etc/lilo.conf
>
> Regards,
>
> Ahsan Ali
>
> On Thu, 1 Jul 2004 10:34:25 +0530, Anindya Mozumdar wrote:
>
>>Hi,
>> The following problem may be trivial to some of you, however my
>> knowledge of linux is limited, and I dont understand how can it be
>> done.
>> In our institute, we use Debian Linux, and the boot loader is lilo.
>> For those machines where the lilo password is not set, ANY ONE can
>> get a root shell by simply interrupting the boot process and typing
>> linux init=/bin/sh in the boot prompt.
>> One of my friends obtained a root shell in this manner, and has
>> either made some changes, or set up some program, by which he can
>> become root any time, without acutally knowing the root password,
>> which is known only to our system administrator. What may be the
>> possible things he has done to setup his program, and how can it be
>> reversed ?
>> Thanks in advance.
>>Anindya Mozumdar.
>>-
>>To unsubscribe from this list: send the line "unsubscribe linux-admin" in
>>the body of a message to majordomo@vger.kernel.org
>>More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html