[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam in RedHat 4.2



you've fell victim to crontab...

check out your system's crontabs to see who the "bastard" is *grin*

tom

On Jan 26,  2:40pm, Jose' Monteiro wrote:
> Subject: pam in RedHat 4.2
>
> I've installed RedHat 4.2 to server as a router/firewall between an
> Office LAN and our NetServers LAN outside.
>
> I used two NIC's and the ipfwadm tool.
>
> Some time later I started getting this logs from user.* facility in
> syslog:
>
> Jan 21 01:02:04 gw2 syslog: pam_unix authentication session started,
> user nobody, service su
> Jan 21 01:02:53 gw2 syslog: pam_unix authentication session finished,
> user nobody, service su
> Jan 21 11:50:51 gw2 syslog: pam_unix authentication session started,
> user root, service su
> Jan 21 11:56:25 gw2 syslog: pam_unix authentication session finished,
> user root, service su
>
> I panicked. I imediately added /bin/false shells in every account left
> with no shell in /etc/passwd (nobody, news, etc...)
>
> And after this the logs started to be like this:
>
> Jan 26 01:03:01 jupiter syslog: pam_unix authentication session
> started, user news, service su
> Jan 26 01:03:01 jupiter syslog: pam_unix authentication session
> finished, user news, service su
> Jan 26 01:03:02 jupiter syslog: pam_unix authentication session
> started, user nobody, service su
> Jan 26 01:03:02 jupiter syslog: pam_unix authentication session
> finished, user nobody, service su
>
> The bastard still gets authenticated but doesn't logs in because he
> has no shell.
>
> The curious thing is: The only daemons running on this machine are
> sendmail, ssh and ftp!!
>
> Anyway, i started fetching some documentation about this and found the
> RedHat 4.2 Errata in
> http://www.redhat.com/support/docs/rhl/rh42-errata-general.html.
>
> quoting errata> Package: pam
> quoting errata> Updated: 01-Oct-1997
> quoting errata>
> quoting errata> Problem:
> quoting errata>
> quoting errata> (08-Aug-1997) Security Fix: This release of pam fixes
> quoting errata> a security hole related to the 'r' commands. This bug
> quoting errata> is limited to users who have as the last entry of
> quoting errata> their .rhosts a multi-homed machine; they could be
> quoting errata> subject to having their account hacked from any
> quoting errata> machine anywhere.
> quoting errata> Users who are still using Red Hat 4.0 and 4.1 are
> quoting errata> strongly encouraged to update to 4.2 and then install
> quoting errata> this update.
> quoting errata> Solution:
> quoting errata>
> quoting errata> Intel: Upgrade to pam-0.57-4.i386.rpm
> quoting errata>
> quoting errata> Alpha: Upgrade to pam-0.57-4.alpha.rpm
> quoting errata>
> quoting errata> SPARC: Upgrade to pam-0.57-4.sparc.rpm
>
> I'm starting to make this recommended upgrade but before i do it, I
> would like to test this bug a little more further.
>
> Can you give me an explanation on how she broke in?
> Where can I find some documentation about this?
>
> Thanks,
>
> Jose Monteiro
>
> --
> To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null
>-- End of excerpt from Jose' Monteiro



-- 
______________________________________________________________
Tom Ryan                                   Voice: 609 225-6361
Systems Programmer                           Fax: 609 225-6487
Rutgers School of Law - Camden



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []