Thanks for all the responses to my original query. It's pretty clear that I missed the md5 encryption on newer versions of Red Hat which is what got me sweating in the first place. Thanks also for all the suggestions for checking file integrity on Red Hat machines. Looks like rpm verification and tripwire are the only options next to having a non-connected machine with a fresh install somewhere to compare against. Too bad. Not that those are terrible options, but the Solaris Fingerprint database (http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl) is a great tool. Maybe someday we'll have similar tools for our favorite open source O/S's. Mike -----Original Message----- From: Stephen Smoogen [mailto:smoogenat_private] Sent: Friday, June 28, 2002 9:42 AM To: Mike Denka Cc: incidentsat_private Subject: Re: 33 character encrypted passwords in /etc/shadow If the 33 character passwords look like: $1$blahblahblahblahblah then the passwords are using M5sum instead of old DES passwords. Depending on the version of Red Hat Linux you are running this can come from using the authconfig command and turning on MD5sum passwords. If the password is in the form of $2$blahblahblahblahblah then it is a blowfish algorithm which I think only OpenBSD supports currently (but my data is old on this). The simplest way of checking your machine on Red Hat is to do a rpm -Va and look at the output. This checks the binaries on the system with what was listed in the RPM database. This is a very simple check and prone to being gotten around by good crackers. The next is to do the following: If the machine has a cdrom, and you have the original media.. mount the cdrom and do the following: rpm -Vp <name of RPM package on cdrom> # to see if they played with RPM so on my 7.3 machine: smoogen:{RPMS}$ rpm -qf /usr/bin/passwd passwd-0.67-1 root:{RPMS}# rpm -Vp passwd-0.67-1.i386.rpm This will give you assurance that the packages as installed from Red Hat Linux are there. However it will not tell you about packages/files that arent in RPM database... or if the rpm command itself had been altered.. On Thu, 2002-06-27 at 18:00, Mike Denka wrote: > Suddenly I'm seeing a few 33 character encrypted passwords showing up in > my /etc/shadow files on several Linux machines. And on at least one of > them, some of us whose entries have inexplicably changed from 13 > characters to 34 characters can no longer ssh in. First, has anyone > heard of any kind of rootkit or other intrusion that has this symptom? > Second, what's the easiest way to get a known good md5sum of a linux > distribution binary like /usr/sbin/passwd? Solaris has a nice web site > that will accept an md5sum and spit out the binary that matches it. Any > quick and easy way to do the same for various redhat distributions? > > > > Thanks, > > > > Mike > > > ------------------------------------------------------------------------ ---- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > -- Stephen John Smoogen smoogenat_private Los Alamos National Laboratoy CCN-2 PH: (505)-665-9408 Ta-03 SM-30 MailStop D445 DP 01U Los Alamos, NM 87544 ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 14:27:42 PDT