Security :: Deleted File Stripes / Log Into A Passwd Less Acct?
Jul 2, 2010
I work for a seismic company that has recently experienced a security issue. Because we have an isolated network that is used for HPC work we have a very open security structue ie password less accounts rsh rlogin etc. We had, seemingly,a user that has maliciously deleted another user's files but I still haven't figured out how. So far I have been able to prove that this user has remotely logged into another host under that user's account... or at least that their workstation did. The /var/log/message file shows logins from their workstation as that user multiple times durring the times that these files were being deleted. There are wildcard searches for these files in the history in this host. There is a vi session initiated on this host for a file called delme (delete me) and then a chmod +x for this file. and then a deletion of this file (rm delme). Funny things: this user has no business in this acct. this user was bounced off the other host (permission denied) when trying to log into the other host and then as root logged into the other host as the other acct. repeatedly... ie. rsh -l xxx (permis den) then as root rsh -l xxx (logged in) why not su xxx and then rsh? password less acct?! why use root privs (which they sholuld not have) to log into a passwd less acct? Can't see any remote logins to their workstation from elsewhere. can't find smoking gun. no execution of delme script or any other rm /*/xxx/* sort of command that proves when file deletion of striped files happened?!
changing root passwd soon.need proof that no remote logins to a CentOS 5.3 workstation could be responsible.
Could mean someone gets fired.how can I be sure that no other users logged into this machine and then into another machine for sure?
View 2 Replies
ADVERTISEMENT
Oct 7, 2010
I deleted root from passwd and shadow file.Can I crate a new root user?
View 1 Replies
View Related
Jul 28, 2010
In what cases would a user appear in /etc/shadow and not /etc/passwd
View 2 Replies
View Related
Apr 22, 2010
we are trying to make a policy decision whether to go with SSH user/passwd or PPK secure key ? our servers are hosted remotely by a hosting service. we were wondering which of these two models are more secure.e.g. i would tend to think that user/passwd with account lockouts upon failed attempts would be more secure because the other option exposes your server in case someone sneaks the PPK file or steals your whole computer.however, what makes me doubt myself is that Amazon Web Services EC2 cloud hosting uses PPK by default (although an instance's SSH config can be change to accommodate logging in but they don't endorse it).
View 3 Replies
View Related
Mar 8, 2011
Is there anyway to have a different password for login and root? For example, my account is Bratu. I want a login password: ABCD and my root password: EFG
View 1 Replies
View Related
Jan 26, 2011
Is it possible to log in secure shell (openssh ) using a username and password which is not present in "/etc/passwd" .The shell created after authentication should be owned by the logged in user . Is it possible to store the user infromation like uid , gid , home dir , shell in some remote machine instead of /etc/passwd and then retrive the these these information when a session is created for the logged in user .
View 2 Replies
View Related
Jan 14, 2011
we know that /etc/passwd - is a replica of /etc/passwd file and acts as a backup in any damage done to /etc/passwd file..i have observed a strange thing in RHEL 5.4....for example... if /etc/passwd has 100 accounts.. then /etc/passwd - is having only 99 accounts....when i add 101 useraccount with "useradd" then /etc/passwd has 101 accounts and /etc/passwd is having the 100th account of /etc/passwd - ..when i delete /etc/passwd and recover it with /etc/passwd - from runlevel 1 the lastly created user is not having his account after recovery.. what is the solution? this is same case even with /etc/shadow and /etc/shadow -
View 2 Replies
View Related
Apr 23, 2010
I am using Red Hat and was wondering how to disable username and password only login and require that a PPK secure key file be used for authentication ? I can log in using the secure private key and the public key that is in ~/.ssh/authorized_keys but i can still log in using the plain username and password login.
View 2 Replies
View Related
May 20, 2010
Well we all know that it holds passwords. But cat-ing it gives out nothing. Not even encrypted gibberish. So how exactly is a password stored in this? Is this like a device file or something?
View 4 Replies
View Related
Sep 18, 2010
I was doing some experiment about resource-accessing. By mistake, I executed this command,$ sudo mv /etc/passwd /etc/passwd.bakThen I could not execute any command with privilege(eg. sudo mv /etc/passwd.bak /etc/passwd). When I shut the system down, I could not boot it any more.
View 2 Replies
View Related
Aug 10, 2010
I got a user account on a linux network. But when I look in the /etc/passwd file, I don't see my username there. Where would I find my username
View 3 Replies
View Related
Apr 11, 2010
Unfortunately i lost my passwd file...so who to recover that.
View 8 Replies
View Related
Feb 11, 2010
I just installed a clean install of suse 11.2. I then installed acct, using yast2.
Finally I did:
sudo /sbin/chkconfig psacct on
sudo /etc/init.d/psacct start
So far so good. The problem is that if I know do:sudo /usr/sbin/sa I only see root processes. None of the user processes seem to show up. If I run it with -m flag, I just see a total and a root row, no users show up at all. But I do have user accounts on the machine, and I am working in one of them (only root when necessary).why, or what to do about it? Is there something else that has to be configured? As I understand it, sa -m should show a summary for all users, not just for root. I want to be able to see how much time different users are using.
View 1 Replies
View Related
Dec 31, 2010
I have a Debian 5.0.7 installed to my server. I try to install Apache and SVN to this server. I use this tutorial: http://www.howtoforge.com/subversion...-ubuntu-server
But is unfortunately not working.
My apache virtual host configuration file is:
Code:
This passwd file containing 1 user:
Code:
The rights for the passwd file:
Code:
And apache2 is running like this:
Code:
And if I try to login to my page I got an "Internal Server Error" page.
And my error is in the apache log is this:
Code:
So I'm a little bit confused about it. The apache2 should have rights to open this file. I checked it, the file is exist and the apache2 is have rights for it. I don't understand it.
View 1 Replies
View Related
Nov 10, 2009
I have a list of locked accounts, called lockedusers, how can I with a bash script compare it to /etc/passwd on the server and print them out if they match?
View 2 Replies
View Related
Feb 21, 2010
I just did a clean install of suse 11.2. I then installed acct, using yast2.Finally I did:sudo /sbin/chkconfig psacct onsudo /etc/init.d/psacct startSo far so good. The problem is that if I now do:sudo /usr/sbin/sa I only see root processes. None of the user processes seem to show up. If I run it with -m flag, I just see a total and a root row, no users show up at all. But I do have user accounts on the machine, and I am working in one of them (only root when necessary).Any ideas why, or what to do about it? Is there something else that has to be configured?As I understand it, sa -m should show a summary for all users, not just for root.I want to be able to see how much time different users are using.
View 1 Replies
View Related
Apr 6, 2010
creating a script which evaluates whether or not the passwd file has changed.
View 4 Replies
View Related
Aug 5, 2010
What is the easiest way to replace a hash in a shadow file for one particular user, not using passwd, and when the current password is unknown?
View 3 Replies
View Related
Jun 22, 2010
the last filed of /etc/passwd file is the login_shell;how if I replace it to /usr/bin/date
what would it happen.by the way I try to use $ subut do't know the password.what s the default root passworf for ubuntu
View 9 Replies
View Related
Dec 25, 2010
when loggin as a normal user and search for a file passwd under /etc. i get few errors with permission denied.how to ignore this permission denied errors.
csh hostname 109 % find . -name passwd
find: ./lvm/backup: Permission denied
find: ./lvm/archive: Permission denied
[code]....
View 4 Replies
View Related
Mar 13, 2011
i have just updated to openSuSE 11.4 [64 bit]; rkhunter is giving these Warnings :
Warning: User 'rtkit' has been added to the passwd file.
Warning: User 'pulse' has been added to the passwd file.
Warning: User 'statd' has been added to the passwd file.
Warning: Changes found in the group file for group 'audio': User 'pulse' has been added to the group
Warning: Group 'rtkit' has been added to the group file.
Warning: Group 'pulse' has been added to the group file.
Warning: Group 'pulse-access' has been added to the group file.
Warning: Suspicious file types found in /dev: /dev/shm/initrd_exports.sh: ASCII text
Warning: Hidden directory found: /dev/.sysconfig
Warning: Hidden directory found: /dev/.mount
Do these look Normal, Are these False-Positives??
View 4 Replies
View Related
Jan 10, 2010
Why is that certificates need to be revoked with openvpn?I simply removed them from the keys folder but everytime the client connects it just places the certificates back into the keys folder itself?! Should that be possible?
Secondly, I have a problems etting the revoke command.Is there a known setting on the openssl.cnf file that might cause this?
[root@server]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
[root@server]# ./revoke-full client2
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
error on line 282 of config file '/etc/openvpn/easy-rsa/2.0/openssl.cnf'
21368:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 282
code....
View 1 Replies
View Related
Jan 10, 2011
I used the ext3 format when I formatted my partition prior to installing Ubuntu10.10. I had accidentally deleted a file and began the process to get it back. It wasn't critical but helpful to recover the file. To make a long story short I ran into to some unexpected road blocks. I tried to use PhotoRec to get the job done but with no success.
I'm just looking down the road in the event I might have to recover something important.If it would be better going back to the Fat32 file system I would rather do it sooner than later. Just as a side note I am dual booting between linux and windows.
View 6 Replies
View Related
Jan 1, 2011
My Linux is Fedora release 13. I found there are a few users created not by me. I am not sure if the system got hacked somehow. Then the hackers created these users, i.e. (1) oracle, (2) exim, (3) test, (4) cox. I tried to delete all of these four users by using "usrdel" command but the system said "I cannot delete these users as the users are logging in". If my system got hacked ?? or these users are created by the system itself?
View 8 Replies
View Related
Sep 7, 2010
I haven't been able to find anything on the 'net about this: when running "rkhunter --enable all", I get this warning:
Code:
However, when I navigate to the gvfs-metadata folder, the home file is there, 124.8Kb in size, of unknown type and gedit can't open it. The file in /tmp/, on the other hand, doesn't exist.
Why is Terminal using a deleted file, and why is the home file being reported as deleted when it isn't?
View 3 Replies
View Related
Jun 21, 2011
i was trying to edit my firefox apparmor profile. I used aa-genprof, and accidentally closed the terminal before the program was finished. Firefox wouldn't load properly after that whenever it was enforced. I uninstalled and reinstalled the profiles, but it didn't help.Finally I deleted the files for the profile itself ... now it will not reinstall them..I marked all the apparmor packages for complete removal and then reinstalled them but it will not put the original firefox profile back in.
View 2 Replies
View Related
Apr 25, 2010
Recently, I started protecting all user-accessible filesystems on my Sidux desktop machine with LUKS. Before that, I would regularly erase traces of deleted data, and I wonder if this is still necessary.
It would be most valuable to me to be pointed towards a good introductory article on the underlying mechanics of LUKS and cryptsetup, as there are a few more minor questions to be answered. Unfortunately, I lack the necessary mathematic and cryptographic background to understand scientific papers.
View 2 Replies
View Related
May 24, 2010
I don't know whether this is a bug or feature. But I find the fact that the Trash in Gnome doesn't delete trashinfo files a security liability.
I found in ./local/share/Trash/info thousands of .trashinfo files named exactly like the files deleted and each one contains the date of deletion.
I thought when I empty the trash bin every record of the files were removed. I understand that there are forensic ways to recover data and rm isn't very secure with journaled file systems, but forensic recovery isn't 100% and if the disk is written over several times the data is gone.
Here you have a permanent list of all the files you've deleted, without you knowing and the dates of deletion. IMO that's too much information.
Update: Weird after removing the files manually and then trying to delete files again using the trash I found no .trashinfo files, this time. So they were probably leftover files, but they didn't have a different owner/permission. Could this have been an issue and now fixed? (running Lucid)
View 1 Replies
View Related
May 17, 2011
I have carefully made daily backups using rdiff-backup, so in the case of needing to restore I can do so.
But I deleted a directory yesterday, and made a backup in the evening. Therefore, the directory is not in the latest mirror, but in the incremental backup from yesterday.
Now I need to restore the directory. But I cannot figure out how to!
I can see the directory in yesterday's incremental backup; i.e., the following works:
Code:
Where [backupdir] is the backup (mirror) directory, and [nameofdir] is the name of the directory I'm trying to restore.
So, I have tried to restore. This is the type of thing I have tried:
Code:
Where to-restore.lst holds the name of the directory to restore (in rdiff-backup's format) and [restoredir]is where I want the restored directory to go to.
But, I get errors like:
Code:
Useful file specifications begin with the base directory or some pattern (such as '**') which matches the base directory. Well, obviously the file specification doesn't exist in the [restoredir]. That's because I'm trying to restore it! If I try to create an empty directory first, it complains:
Code:
How do I restore a deleted directory from a previous day's backup to a designated destination?
View 2 Replies
View Related
Jun 2, 2011
Following bad instructions too fast to reset the default keyring password I deleted the file .gnome2/login.keyring ! I can still login and get to a terminal and do instructions from there. I can also still login with root and a guest account. But my desktop is just blank and I can't, even as a root, access my files.
View 5 Replies
View Related
