Re: 33 character encrypted passwords in /etc/shadow

From: Ben Boulanger (ben@blackavar.com)
Date: 06/28/02

• Previous message: Fragga: "unexplained port 524 probes payload "cko""
• In reply to: Mike Denka: "33 character encrypted passwords in /etc/shadow"
• Next in thread: Stephen Smoogen: "Re: 33 character encrypted passwords in /etc/shadow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 28 Jun 2002 12:08:10 -0400 (EDT)
From: Ben Boulanger <ben@blackavar.com>
To: Mike Denka <mdenk@whidbey.net>

On Thu, 27 Jun 2002, Mike Denka wrote:
> Suddenly I'm seeing a few 33 character encrypted passwords showing up in
> my /etc/shadow files on several Linux machines. And on at least one of
> them, some of us whose entries have inexplicably changed from 13
> characters to 34 characters can no longer ssh in. First, has anyone
> heard of any kind of rootkit or other intrusion that has this symptom?
> Second, what's the easiest way to get a known good md5sum of a linux
> distribution binary like /usr/sbin/passwd? Solaris has a nice web site
> that will accept an md5sum and spit out the binary that matches it. Any
> quick and easy way to do the same for various redhat distributions?

The 34(maybe 33?) character password is RedHat's (possibly all linux's)
new password encryption. Not sure if it's still crypt or what, but it's
legit.

The fastest way to verify changes to files in an rpm is with a command
like:
        rpm -qas | grep -v ^normal

This queries all installed RPMs, and shows you the state of each file.
The -v ^normal yanks the files that haven't changed out of STDOUT for you.

Ben

-- 
Flies never visit an egg that has no crack. 
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Fragga: "unexplained port 524 probes payload "cko""
• In reply to: Mike Denka: "33 character encrypted passwords in /etc/shadow"
• Next in thread: Stephen Smoogen: "Re: 33 character encrypted passwords in /etc/shadow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: 33 character encrypted passwords in /etc/shadow ... > characters to 34 characters can no longer ssh in. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ... (Incidents) Re: Crack GPG Password ... encrypt something, then encrypt it again with a password that's one off ... in characters, you should get something that looks completely different. ... use MD5SUM on it to get the hash ... change it to "hello fellow." ... (Ubuntu) Re: How do you use md5sum? ... >the same as those offered by the linuxiso website? ... files is likely to cause half of the bits in the md5sum to change. ... even checking the first five characters in the two md5sums is an extremely ... the download is ... (comp.os.linux.security) 33 character encrypted passwords in /etc/shadow ... Suddenly I'm seeing a few 33 character encrypted passwords showing up in ... my /etc/shadow files on several Linux machines. ... characters to 34 characters can no longer ssh in. ... what's the easiest way to get a known good md5sum of a linux ... (Incidents) Is md5sum reversible?? ... it's encryption tool. ... The key is supposed to be a 12 character code ... i.e. md5sum, take the first 4 characters and upcasing any a-f letters, ... (sci.crypt)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-06