Re: 33 character encrypted passwords in /etc/shadow

From: Stephen Smoogen (smoogenat_private)
Date: Fri Jun 28 2002 - 09:42:00 PDT

Next message: Jeremy Junginger: "Textbook CodeRed v2 Caught By Snort"

Previous message: Skip Carter: "Re: FW: Apache worm in the wild"
In reply to: Mike Denka: "33 character encrypted passwords in /etc/shadow"
Next in thread: Mike Denka: "FW: 33 character encrypted passwords in /etc/shadow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If the 33 character passwords look like:

$1$blahblahblahblahblah

then the passwords are using M5sum instead of old DES passwords.
Depending on the version of Red Hat Linux you are running this can come
from using the authconfig command and turning on MD5sum passwords.

If the password is in the form of
$2$blahblahblahblahblah

then it is a blowfish algorithm which I think only OpenBSD supports
currently (but my data is old on this).

The simplest way of checking your machine on Red Hat is to do a 

rpm -Va 

and look at the output. This checks the binaries on the system with what
was listed in the RPM database. This is a very simple check and prone to
being gotten around by good crackers. The next is to do the following:

If the machine has a cdrom, and you have the original media.. mount the
cdrom and do the following:

rpm -Vp <name of RPM package on cdrom> # to see if they played with RPM

so on my 7.3 machine:

smoogen:{RPMS}$ rpm -qf /usr/bin/passwd
passwd-0.67-1
root:{RPMS}# rpm -Vp passwd-0.67-1.i386.rpm 

This will give you assurance that the packages as installed from Red Hat
Linux are there. However it will not tell you about packages/files that
arent in RPM database... or if the rpm command itself had been altered..

On Thu, 2002-06-27 at 18:00, Mike Denka wrote:
> Suddenly I'm seeing a few 33 character encrypted passwords showing up in
> my /etc/shadow files on several Linux machines.  And on at least one of
> them, some of us whose entries have inexplicably changed from 13
> characters to 34 characters can no longer ssh in.   First, has anyone
> heard of any kind of rootkit or other intrusion that has this symptom?
> Second, what's the easiest way to get a known good md5sum of a linux
> distribution binary like /usr/sbin/passwd?  Solaris has a nice web site
> that will accept an md5sum and spit out the binary that matches it.  Any
> quick and easy way to do the same for various redhat distributions?  
> 
>  
> 
> Thanks,
> 
>  
> 
> Mike
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
-- 
Stephen John Smoogen		smoogenat_private
Los Alamos National Laboratoy	CCN-2	PH: (505)-665-9408
Ta-03 SM-30  MailStop D445 DP 01U  Los Alamos, NM 87544

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jeremy Junginger: "Textbook CodeRed v2 Caught By Snort"
Previous message: Skip Carter: "Re: FW: Apache worm in the wild"
In reply to: Mike Denka: "33 character encrypted passwords in /etc/shadow"
Next in thread: Mike Denka: "FW: 33 character encrypted passwords in /etc/shadow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 12:47:10 PDT