[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[no subject]



Regards
					Andrey V.
					Savochkin


On Mon, Jan 26, 1998 at 02:40:26PM +0000, Jose' Monteiro wrote:
> 
> I've installed RedHat 4.2 to server as a router/firewall between an
> Office LAN and our NetServers LAN outside.
> 
> I used two NIC's and the ipfwadm tool.
> 
> Some time later I started getting this logs from user.* facility in
> syslog:
> 
> Jan 21 01:02:04 gw2 syslog: pam_unix authentication session started,
> user nobody, service su
> Jan 21 01:02:53 gw2 syslog: pam_unix authentication session finished,
> user nobody, service su
> Jan 21 11:50:51 gw2 syslog: pam_unix authentication session started,
> user root, service su
> Jan 21 11:56:25 gw2 syslog: pam_unix authentication session finished,
> user root, service su
> 
> I panicked. I imediately added /bin/false shells in every account left
> with no shell in /etc/passwd (nobody, news, etc...)
> 
> And after this the logs started to be like this:
> 
> Jan 26 01:03:01 jupiter syslog: pam_unix authentication session
> started, user news, service su
> Jan 26 01:03:01 jupiter syslog: pam_unix authentication session
> finished, user news, service su
> Jan 26 01:03:02 jupiter syslog: pam_unix authentication session
> started, user nobody, service su
> Jan 26 01:03:02 jupiter syslog: pam_unix authentication session
> finished, user nobody, service su
> 
> The bastard still gets authenticated but doesn't logs in because he
> has no shell.
> 
> The curious thing is: The only daemons running on this machine are
> sendmail, ssh and ftp!!
> 
> Anyway, i started fetching some documentation about this and found the
> RedHat 4.2 Errata in
> http://www.redhat.com/support/docs/rhl/rh42-errata-general.html.
> 
> quoting errata> Package: pam 
> quoting errata> Updated: 01-Oct-1997 
> quoting errata> 
> quoting errata> Problem:
> quoting errata> 
> quoting errata> (08-Aug-1997) Security Fix: This release of pam fixes
> quoting errata> a security hole related to the 'r' commands. This bug
> quoting errata> is limited to users who have as the last entry of
> quoting errata> their .rhosts a multi-homed machine; they could be
> quoting errata> subject to having their account hacked from any
> quoting errata> machine anywhere.
> quoting errata> Users who are still using Red Hat 4.0 and 4.1 are
> quoting errata> strongly encouraged to update to 4.2 and then install
> quoting errata> this update. 
> quoting errata> Solution:
> quoting errata> 
> quoting errata> Intel: Upgrade to pam-0.57-4.i386.rpm
> quoting errata> 
> quoting errata> Alpha: Upgrade to pam-0.57-4.alpha.rpm
> quoting errata> 
> quoting errata> SPARC: Upgrade to pam-0.57-4.sparc.rpm
> 
> I'm starting to make this recommended upgrade but before i do it, I
> would like to test this bug a little more further.
> 
> Can you give me an explanation on how she broke in?
> Where can I find some documentation about this?
> 
> Thanks,
> 
> Jose Monteiro
> 



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []