I had a strange problem with one of my own RedHat machines the other
day. Very simply, I couldn't su to root, and I couldn't even login
at the console as root. I hadn't forgotten the password, but the
system just wouldn't let me in.
As it happened, I didn't have time to deal with the problem right
that moment (obviously I didn't urgently need root access right then)
so I didn't get back to this till the next day. To my surprise,
I was now able to login or su as I wished.
My immediate thought was "rooted!". But after a moments reflection
I wondered "how?" I'm behind a firewall. I don't allow inbound traffic
to ssh, telnet or anything else. I watch the blinking lights on
the lan when machines are supposed to be quiet, and I disconnect
the cable modem when I'm done for the day. I really doubted that
this machine had been rooted.. but what the heck, might as well check.
is a shell script hat runs on just about any Unixy OS from AIX to Solaris and
even Mac OS X. That wide range of OS checking makes this a very useful
tool to have on your machines.
But it turned up no problems. And indeed, I couldn't see any indication
of even an attempted breech. I left the modem connected after hours and
watched the lights on the lan for any activity; all was quiet. I downloaded
other root kit checkers; they all said the system was clean. So what
was going on?
Well, it was my own doing. I completely forgot that I had protected
this system with pam_tally
in addition to other things. I had mistyped my password twice and
locked myself out. I reset that every hour during working hours, so it
had cleared itself quickly, which is why I could log in the next day.
Still, it was a good thing. I had been lax and had not checked
any of my systems for rootkits in quite a while. That's probably
not a good idea. For example, RKHunter showed me that I had
"PermitRootLogin yes" in one of my boxes sshd_config. That had been
intended as a momentary convenience, but I had forgotten to take
it out. SShd wasn't actually running on that box, so it really
didn't matter, but I could have easily turned it on without checking
the configuration. RkHunter looks for things like that and more.
Got something to add? Send me email.
Increase ad revenue 50-250% with Ezoic
More Articles by Anthony Lawrence
Find me on Google+
© 2012-07-15 Anthony Lawrence