FW: 33 character encrypted passwords in /etc/shadow

["Mike Denka" <mdenk () whidbey net>]

Thanks for all the responses to my original query.  It's pretty clear
that I missed the md5 encryption on newer versions of Red Hat which is
what got me sweating in the first place.  

Thanks also for all the suggestions for checking file integrity on Red
Hat machines.  Looks like rpm verification and tripwire are the only
options next to having a non-connected machine with a fresh install
somewhere to compare against.  Too bad.  Not that those are terrible
options, but the Solaris Fingerprint database
(http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl) is a great tool.
Maybe someday we'll have similar tools for our favorite open source
O/S's.

Mike

-----Original Message-----
From: Stephen Smoogen [mailto:smoogen () lanl gov] 
Sent: Friday, June 28, 2002 9:42 AM
To: Mike Denka
Cc: incidents () securityfocus com
Subject: Re: 33 character encrypted passwords in /etc/shadow

If the 33 character passwords look like:

$1$blahblahblahblahblah

then the passwords are using M5sum instead of old DES passwords.
Depending on the version of Red Hat Linux you are running this can come
from using the authconfig command and turning on MD5sum passwords.

If the password is in the form of
$2$blahblahblahblahblah

then it is a blowfish algorithm which I think only OpenBSD supports
currently (but my data is old on this).

The simplest way of checking your machine on Red Hat is to do a 

rpm -Va 

and look at the output. This checks the binaries on the system with what
was listed in the RPM database. This is a very simple check and prone to
being gotten around by good crackers. The next is to do the following:

If the machine has a cdrom, and you have the original media.. mount the
cdrom and do the following:

rpm -Vp <name of RPM package on cdrom> # to see if they played with RPM

so on my 7.3 machine:

smoogen:{RPMS}$ rpm -qf /usr/bin/passwd
passwd-0.67-1
root:{RPMS}# rpm -Vp passwd-0.67-1.i386.rpm 

This will give you assurance that the packages as installed from Red Hat
Linux are there. However it will not tell you about packages/files that
arent in RPM database... or if the rpm command itself had been altered..


On Thu, 2002-06-27 at 18:00, Mike Denka wrote:
> Suddenly I'm seeing a few 33 character encrypted passwords showing up
in
> my /etc/shadow files on several Linux machines.  And on at least one
of
> them, some of us whose entries have inexplicably changed from 13
> characters to 34 characters can no longer ssh in.   First, has anyone
> heard of any kind of rootkit or other intrusion that has this symptom?
> Second, what's the easiest way to get a known good md5sum of a linux
> distribution binary like /usr/sbin/passwd?  Solaris has a nice web
site
> that will accept an md5sum and spit out the binary that matches it.
Any
> quick and easy way to do the same for various redhat distributions?  
>
>  
>
> Thanks,
>
>  
>
> Mike
------------------------------------------------------------------------
----
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
-- 
Stephen John Smoogen            smoogen () lanl gov
Los Alamos National Laboratoy   CCN-2   PH: (505)-665-9408
Ta-03 SM-30  MailStop D445 DP 01U  Los Alamos, NM 87544


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com