Security Incidents mailing list archives
FW: 33 character encrypted passwords in /etc/shadow
From: "Mike Denka" <mdenk () whidbey net>
Date: Fri, 28 Jun 2002 14:02:51 -0700
Thanks for all the responses to my original query. It's pretty clear that I missed the md5 encryption on newer versions of Red Hat which is what got me sweating in the first place. Thanks also for all the suggestions for checking file integrity on Red Hat machines. Looks like rpm verification and tripwire are the only options next to having a non-connected machine with a fresh install somewhere to compare against. Too bad. Not that those are terrible options, but the Solaris Fingerprint database (http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl) is a great tool. Maybe someday we'll have similar tools for our favorite open source O/S's. Mike -----Original Message----- From: Stephen Smoogen [mailto:smoogen () lanl gov] Sent: Friday, June 28, 2002 9:42 AM To: Mike Denka Cc: incidents () securityfocus com Subject: Re: 33 character encrypted passwords in /etc/shadow If the 33 character passwords look like: $1$blahblahblahblahblah then the passwords are using M5sum instead of old DES passwords. Depending on the version of Red Hat Linux you are running this can come from using the authconfig command and turning on MD5sum passwords. If the password is in the form of $2$blahblahblahblahblah then it is a blowfish algorithm which I think only OpenBSD supports currently (but my data is old on this). The simplest way of checking your machine on Red Hat is to do a rpm -Va and look at the output. This checks the binaries on the system with what was listed in the RPM database. This is a very simple check and prone to being gotten around by good crackers. The next is to do the following: If the machine has a cdrom, and you have the original media.. mount the cdrom and do the following: rpm -Vp <name of RPM package on cdrom> # to see if they played with RPM so on my 7.3 machine: smoogen:{RPMS}$ rpm -qf /usr/bin/passwd passwd-0.67-1 root:{RPMS}# rpm -Vp passwd-0.67-1.i386.rpm This will give you assurance that the packages as installed from Red Hat Linux are there. However it will not tell you about packages/files that arent in RPM database... or if the rpm command itself had been altered.. On Thu, 2002-06-27 at 18:00, Mike Denka wrote:
Suddenly I'm seeing a few 33 character encrypted passwords showing up
in
my /etc/shadow files on several Linux machines. And on at least one
of
them, some of us whose entries have inexplicably changed from 13 characters to 34 characters can no longer ssh in. First, has anyone heard of any kind of rootkit or other intrusion that has this symptom? Second, what's the easiest way to get a known good md5sum of a linux distribution binary like /usr/sbin/passwd? Solaris has a nice web
site
that will accept an md5sum and spit out the binary that matches it.
Any
quick and easy way to do the same for various redhat distributions? Thanks, Mike
------------------------------------------------------------------------ ----
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- Stephen John Smoogen smoogen () lanl gov Los Alamos National Laboratoy CCN-2 PH: (505)-665-9408 Ta-03 SM-30 MailStop D445 DP 01U Los Alamos, NM 87544 ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- 33 character encrypted passwords in /etc/shadow Mike Denka (Jun 28)
- Re: 33 character encrypted passwords in /etc/shadow zeno (Jun 28)
- Re: 33 character encrypted passwords in /etc/shadow Ben Boulanger (Jun 28)
- Re: 33 character encrypted passwords in /etc/shadow Stephen Smoogen (Jun 28)
- <Possible follow-ups>
- FW: 33 character encrypted passwords in /etc/shadow Mike Denka (Jun 28)
- Re: FW: 33 character encrypted passwords in /etc/shadow Paul Gear (Jun 29)