Re: Any known reason why su would not work?

From: Bit Twister (BitTwister@localhost.localdomain)
Date: 04/19/03 

From: Bit Twister <BitTwister@localhost.localdomain>
Date: Sat, 19 Apr 2003 15:15:43 GMT

On Sat, 19 Apr 2003 11:04:57 -0400, Carlos Moreno wrote:
>
> This got me a bit scared yesterday.
>
> I have my Linux box connected to a DSL line, and
> acting as gateway/router to my home LAN. I just
> installed it not a week ago, and turned off ALL
> services except SSH (which should mean that the
> risk of being hacked into should be low).
>
> So, I'm logged in yesterday installing some new
> software, and run the command
>
> $ su -
>
> Enter the root password, and the command had no
> effect!!
>
> The first thing that went through my mind is that
> I had just executed something else, placed by a
> hacker and called su, and that had just read my
> root password and possibly e-mailed it to
> who-knows-where...
>
> Rings any bell? Is it possible that this was the
> case?
>
> BTW, I logged out, logged in as root (via SSH),
> and ran commands like "su - someuser", and still
> had no effect (it just stayed on the same root
> shell where I was -- the command whoami confirmed
> that the su command had had no effect).
>
> I rebooted the box, then logged in, and now the
> su command was having the expected, usual effect.
>
> I didn't find any obvious evidence of a hacker,
> but this naturally gave me a good scare, and as
> of now, I'm not even sure where I'm standing...
> I mean, the fact that I don't see evidence of
> a hacker does not mean that there isn't one.
> That, plus the fact that I would be very surprised
> to see a Linux command stopping to work because
> of a "bug" or some glitch in the system...
>
> Any suggestions/comments? Does it sound to you
> as a false alarm?

Please read
http://www.catb.org/~esr/faqs/smart-questions.html

It always helps if you provide some basic system information and what
you are having problems with when you post questions to the
news groups.

That info helps us to provide better examples/responses.

Which window manager/desktop environment,
they have different icons and file access locations.

There are several "linuxes": Red Hat, Slackware, SuSE, Debian, Mandrake,
Caldera, Corel, Yellow Lab, Black Lab, WinLinux, PhatLinux, Linux On A
Floppy, slinux, Trinux, Peanut and
(Rock, Armed, Stampede, Tiny. Power, Coyote) Linux, to name a few.

Always provide what distro and release level you are using
when you post questions (Redhat 6.1, Suse 5.0, Mandrake 8.2,...).

Different distros have different commands, files, and links to files,
pacakges and package/software managers.
Even happens between release levels of the same distribution.

Internet connection problem (ISP, cable, adsl, PPPoE, LAN, dialup, eth0. USB..)

If dhcp, which client (pump, dhcpcd, dhclient,...)

Firewall (Bastille, Tiny, Smoothwall ..) , which type ipchains, iptables,...

Window manger, application problem/question give the name
(gnome, kde, sawmill, kscd, kmix, eroaster, ...) Different
window managers can have different programs.

Give us error messages if you have them.
Look in your logs, /var/log/messages on Redhat and Mandrake.

If it is a shell/script question, give the shell name (bash, tch, zch,...)

Example: Using RH 7.3, kde, dhcpcd though a cable modem on RR in Fortworth Tx.
         ipchains Tinyfirewall is disabled. Still cannot get a lease.

Can we assume you visit your vendor's site to get lastest updates
installed.

Besides disabling unneeded services, you should have the firewall
and xinetd setup to allow only connections from know ip addresses
where you can.

Here is why you need a FORMAT and clean install when your box IS cracked.
   http://en.tldp.org/LDP/LG/issue36/kuethe.html
4'th paragraph.

Think about that paragraph.
You cannot use ANY of your pc's utilities to see if your box is cracked
and find what addtional files are installed.

http://www.chkrootkit.org has a program for checking for rootkit installs
on the cracked box. That will tell you about known root kits if you have one.
The cracker may not have installed a rootkit.

What you can do is have a dual boot system. You install a second copy of
your OS and label it Auditor. You never, EVER mount it from the internet OS.

Some have suggested install on a seperate disk which is left unplugged until
you want to use it.

Anytime you THINK you've been cracked, you can boot into Auditor, mount the
internet os partition and start checking the internet OS partitions for new
files and whatnot.

Any time you KNOW your're box is cracked, you should:
o Pull the box off the network. You do not want the police taking
        you and your equipment to jail because a cracker used it
        to crack a bank or military site. If the cracker removes their
        backtracks to their box, you get to do the jail time.

o Put the hardrive(s) into a standalone machine,
        mount the disk(s) readonly,
        save any data, user files, ...,

o Save a full copy of the disk(s) for your forensic attempt,
        save the disk(s) for FBI forensics if it's a Big, BIG dollar loss.

o Re-FORMAT disk drives and do a fresh install from known clean
        source to remove any possible back doors and/or password sniffers
        the cracker installed.

o Restore your saved files, verify that the restored files
        do not have the suid bit set "find / -perm +6000 -ls".

o Have everyone on the box's network change passwords and
        tell them that the cracker may have been running a
        password sniffer so they will not use the passwords ever again.
        Any other boxes logged into from the cracked box should
        have their passwords changed.

Install a modern firewall. Example: iptables is better than ipchains.
If you have a spare linux computer, you can use it to port scan
your box with nmap from http://www.insecure.org/nmap/

Get all the vendor updates to your distro.

You might want to read Armoring Linux
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Security-Quickstart-HOWTO.html
http://www.linuxdoc.org/HOWTO/Security-Quickstart-HOWTO/index.html
http://www.enteract.com/~lspitz/linux.html
http://www.ibiblio.org/pub/Linux/docs/HOWTO/Security-Quickstart-Redhat-HOWTO
http://www.ibiblio.org/pub/Linux/docs/linux-doc-project/solrhe/Secur
ing-Optimizing-Linux-RH-Edition-v1.3.txt

        http://www.linuxsecurity.com/docs/colsfaq.html
        http://www.securityportal.com/lskb/articles/
        http://www.securityportal.com/lasg/
keep an eye on
        http://www.cert.org/advisories/

Never login as root unless you have to.
Set the mailer deamon to send root's email to your user account.
Do not surf the net as root. Root's browser should have everthing
disabled, javascript, java, cookies, style sheets, auto anything.
Always login from the console, no su, telnet, ssh,..
That way a keystroke logger in your user account cannot
catch your root login password.

You can audit your system if you are using the rpm package manager with
  rpm -Va | grep '..5' > /tmp/verify.log
Runs for a while; more than 5 minutes.

/tmp/verify.log will contain changes which you have made using
configuration tools

Hope crackers do not put in a rootkit which makes the rpm check obsolete.
I think this has happened, though not sure. On one of my boxes
it cored after about 2 minutes, log looked like it ran but never completes
the audit.

rpm -Va | grep '^..5' will give you a warm feeling about what changed.
That warm feeling might turn into the warm feeling you get when
you do not get to the bathroom in time. :(

The cracker could install trojaned files some where else and modify
PATH to use them instead of the files you just checked.
You could look at the report and see
        S.5....T c /root/.bash_profile
        S.5....T c /root/.bashrc
You see that and say, "Ok, I did change those. No problem."
BZZZZzzit. WRONG answer, Cracker changed your PATH and you are
running his code.

It also does not show additional files. I have created a site file in
/etc/profile.d which puts my site/bin into PATH.

Cracker can add his own cracked.sh file to change/add to PATH and
create aliases to substitute a stock command for his code.