[gentoo-user] Rooted/compromised Gentoo, seeking advice

[gentoo-user] Rooted/compromised Gentoo, seeking advice

[Paul Hartman]

Hi, today when working remotely I ran nethogs and noticed suspicious
network traffic coming from my home gentoo box. It was very low
traffic (less than 1KB/sec bandwidth usage) but according to nethogs
it was between a root user process and various suspicious-looking
ports on outside hosts in other countries that I have no business
with. netstat didn't show anything, however, but when I ran chkrootkit
told me that netstat was INFECTED. I immediately issued "shutdown -h
now" and now I won't be able to take a further look at it until I get
home and have physical access to the box. System uptime was a few
months. It was last updated for installation of a 2.6.33 kernel
(2.6.35 is out now).

I have 3 goals now:

1) Figure out what is running on my box and how long it has been there.
2) Find out how it got there.
3) Sanitizing, or most likely rebuilding the system from scratch.

I won't feel comfortable about doing item 3 until I learn the cause of
1 and 2. Since this is a home PC, it's not mission-critical and I have
other computers so I can afford to leave it offline while I
investigate this security breach, but at the same time it's worrisome
because I do banking etc from this machine. I'll obviously have to
check the status of any other computer on the same network.

My user account has sudo-without-password rights to any command. In
hindsight this risk may not be worth the extra convenience... A rogue
"sudo install-bad-stuff" anywhere over time could have done me in.

Alternatively I was running vulnerable/compromised software. My box
has sshd running, root login in ssh is not allowed, and pubkey only
logins (no passwords). It is behind a wireless router but port 22 is
open and pointing to this box, and a few others needed by other
applications. So I will check out which keys exist on the compromised
machine and make sure I recognize them all. I'll also need to check
the status of any other computer my key is stored on (a mix of linux &
windows, and my mobile phone). Sigh...

I am using ~amd64 and I update deep world about 3 times a week normally.

The computer is only a few months old, but it was created by cloning a
~2-years-old computer.  I did emerge -e world as part of the upgrade
process.

If anyone has advice on what I should look at forensically to
determine the cause of this, it is appreciated. I'll first dig into
the logs, bash history etc. and really hope that this very happened
recently.

Thanks for any tips and wish me good luck. :)

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Alan McKinnon]

On Monday 09 August 2010 18:25:56 Paul Hartman wrote:
> Hi, today when working remotely I ran nethogs and noticed suspicious
> network traffic coming from my home gentoo box. It was very low
> traffic (less than 1KB/sec bandwidth usage) but according to nethogs
> it was between a root user process and various suspicious-looking
> ports on outside hosts in other countries that I have no business
> with. netstat didn't show anything, however, but when I ran chkrootkit
> told me that netstat was INFECTED. I immediately issued "shutdown -h
> now" and now I won't be able to take a further look at it until I get
> home and have physical access to the box. System uptime was a few
> months. It was last updated for installation of a 2.6.33 kernel
> (2.6.35 is out now).
> 
> I have 3 goals now:
> 
> 1) Figure out what is running on my box and how long it has been there.
> 2) Find out how it got there.
> 3) Sanitizing, or most likely rebuilding the system from scratch.

Here's the bad news:

An intruder probably gained access through a script kiddie script, which has 
likely already removed all the logs. Or they have possibly been rotated away 
by now.

I would proceed as follows:

1. Keep that machine off the internet till it is reinstalled
2. Fresh reinstall using boot media that you have downloaded and written 
elsewhere, plus a portage tree. Don't worry about distfiles - a fresh portage 
tree won't use existing copies on that machine if the hashes don't match. So 
you can re-use them. If you boot off new install media it is safe to download 
new distfiles using it.
3. Keep your old partitions around if you want to do forensics, you can mount 
them somewhere when a reinstall is done and peruse them at your leisure. 
However, doing that is often a waste of time unless you still have logs. You 
can use a scanner like nessus to look things over.
4. And it goes without saying that you should change all passwords and keys 
used on that trojaned machine.




> I won't feel comfortable about doing item 3 until I learn the cause of
> 1 and 2. Since this is a home PC, it's not mission-critical and I have
> other computers so I can afford to leave it offline while I
> investigate this security breach, but at the same time it's worrisome
> because I do banking etc from this machine. I'll obviously have to
> check the status of any other computer on the same network.
> 
> My user account has sudo-without-password rights to any command. In
> hindsight this risk may not be worth the extra convenience... A rogue
> "sudo install-bad-stuff" anywhere over time could have done me in.
> 
> Alternatively I was running vulnerable/compromised software. My box
> has sshd running, root login in ssh is not allowed, and pubkey only
> logins (no passwords). It is behind a wireless router but port 22 is
> open and pointing to this box, and a few others needed by other
> applications. So I will check out which keys exist on the compromised
> machine and make sure I recognize them all. I'll also need to check
> the status of any other computer my key is stored on (a mix of linux &
> windows, and my mobile phone). Sigh...
> 
> I am using ~amd64 and I update deep world about 3 times a week normally.
> 
> The computer is only a few months old, but it was created by cloning a
> ~2-years-old computer.  I did emerge -e world as part of the upgrade
> process.
> 
> If anyone has advice on what I should look at forensically to
> determine the cause of this, it is appreciated. I'll first dig into
> the logs, bash history etc. and really hope that this very happened
> recently.
> 
> Thanks for any tips and wish me good luck. :)

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Paul Hartman]

On Mon, Aug 9, 2010 at 11:48 AM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> On Monday 09 August 2010 18:25:56 Paul Hartman wrote:
>> Hi, today when working remotely I ran nethogs and noticed suspicious
>> network traffic coming from my home gentoo box. It was very low
>> traffic (less than 1KB/sec bandwidth usage) but according to nethogs
>> it was between a root user process and various suspicious-looking
>> ports on outside hosts in other countries that I have no business
>> with. netstat didn't show anything, however, but when I ran chkrootkit
>> told me that netstat was INFECTED. I immediately issued "shutdown -h
>> now" and now I won't be able to take a further look at it until I get
>> home and have physical access to the box. System uptime was a few
>> months. It was last updated for installation of a 2.6.33 kernel
>> (2.6.35 is out now).
>>
>> I have 3 goals now:
>>
>> 1) Figure out what is running on my box and how long it has been there.
>> 2) Find out how it got there.
>> 3) Sanitizing, or most likely rebuilding the system from scratch.
>
> Here's the bad news:
>
> An intruder probably gained access through a script kiddie script, which has
> likely already removed all the logs. Or they have possibly been rotated away
> by now.
>
> I would proceed as follows:
>
> 1. Keep that machine off the internet till it is reinstalled
> 2. Fresh reinstall using boot media that you have downloaded and written
> elsewhere, plus a portage tree. Don't worry about distfiles - a fresh portage
> tree won't use existing copies on that machine if the hashes don't match. So
> you can re-use them. If you boot off new install media it is safe to download
> new distfiles using it.
> 3. Keep your old partitions around if you want to do forensics, you can mount
> them somewhere when a reinstall is done and peruse them at your leisure.
> However, doing that is often a waste of time unless you still have logs. You
> can use a scanner like nessus to look things over.
> 4. And it goes without saying that you should change all passwords and keys
> used on that trojaned machine.

Hi Alan, thanks for the advice.

I just remembered that my DD-WRT router stats page had an anomaly, on
31st of July it showed I had over 700 terabytes of traffic, which is
impossible. Coincidentally, my cable modem stopped working on the same
day, so I wrote it off as a bug or a result of the broken modem. I
replaced the modem and everything seemed to work normally after that.

At this point my mind is running wild thinking of all of the
possibilities. Could the router have been infected? The modem? It'll
still be another 5 or 6 hours before I'm able to lay my hands on the
machine. I'm imagining every doomsday scenario. :)

My hope is that it was "only" a botnet or ssh-scanner or something,
and not sniffer or keylogger or anything nefarious. I fear I may never
truly be able to know, though.

[gentoo-user] Re: Rooted/compromised Gentoo, seeking advice

[7v5w7go9ub0o]

On 08/09/10 12:25, Paul Hartman wrote:
[]
> If anyone has advice on what I should look at forensically to
> determine the cause of this, it is appreciated. I'll first dig into
> the logs, bash history etc. and really hope that this very happened
> recently.
>
> Thanks for any tips and wish me good luck. :)

AntiVir (Avira) anti-malware scanner has hundreds of Linux rootkit/virus
signatures; you might scan your box with that. It has an on-access,
realtime monitor option as well, which I use it to monitor anything
downloaded and or compiled on my box (in case the distribution screen
gets hacked).

<http://www.free-av.com/en/download/download_servers.php>

Presuming you're rooted, you might first try their stand-alone, linux
live-disk scanner so as to avoid borked kernel and/or core utilities:

<http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html>

Re: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice

[Paul Hartman]

On Mon, Aug 9, 2010 at 1:59 PM, 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> wrote:
> On 08/09/10 12:25, Paul Hartman wrote:
> []
>> If anyone has advice on what I should look at forensically to
>> determine the cause of this, it is appreciated. I'll first dig into
>> the logs, bash history etc. and really hope that this very happened
>> recently.
>>
>> Thanks for any tips and wish me good luck. :)
>
> AntiVir (Avira) anti-malware scanner has hundreds of Linux rootkit/virus
> signatures; you might scan your box with that. It has an on-access,
> realtime monitor option as well, which I use it to monitor anything
> downloaded and or compiled on my box (in case the distribution screen
> gets hacked).
>
> <http://www.free-av.com/en/download/download_servers.php>
>
> Presuming you're rooted, you might first try their stand-alone, linux
> live-disk scanner so as to avoid borked kernel and/or core utilities:
>
> <http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html>

Was not aware of that one, I'll give it a try. Thanks.

Re: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1324 bytes --]

On Monday 09 August 2010 19:59:11 7v5w7go9ub0o wrote:
> On 08/09/10 12:25, Paul Hartman wrote:
> []
> 
> > If anyone has advice on what I should look at forensically to
> > determine the cause of this, it is appreciated. I'll first dig into
> > the logs, bash history etc. and really hope that this very happened
> > recently.
> > 
> > Thanks for any tips and wish me good luck. :)
> 
> AntiVir (Avira) anti-malware scanner has hundreds of Linux rootkit/virus
> signatures; you might scan your box with that. It has an on-access,
> realtime monitor option as well, which I use it to monitor anything
> downloaded and or compiled on my box (in case the distribution screen
> gets hacked).
> 
> <http://www.free-av.com/en/download/download_servers.php>
> 
> Presuming you're rooted, you might first try their stand-alone, linux
> live-disk scanner so as to avoid borked kernel and/or core utilities:
> 
> <http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html>

Another idea to help with your forensics would be to bring a netstat and lsof 
binary over to your machine and run them to see which actors are running and 
trying to get out.  That could help you detect what is running on that machine 
and google your way from there.

You could also run rkhunter.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice

[Kyle Bader]

[-- Attachment #1: Type: text/plain, Size: 458 bytes --]

>
> Another idea to help with your forensics would be to bring a netstat and
> lsof
> binary over to your machine and run them to see which actors are running
> and
> trying to get out.  That could help you detect what is running on that
> machine
> and google your way from there.


If your kernel has been subverted then userland is irrelevant, a kit can
simply hook the system calls those binaries use and return whatever it wants
you to know.

-- 

Kyle

[-- Attachment #2: Type: text/html, Size: 679 bytes --]

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 488 bytes --]

On Monday 09 August 2010 17:25:56 Paul Hartman wrote:
> My user account has sudo-without-password rights to any command.

Ouch!

There have been discussions on this list why sudo is a bad idea and sudo on 
*any* command is an even worse idea. You might as well be running everything 
as root, right?

You have decided wisely to reinstall because you can't be sure of this OS 
anymore.

Please keep us updated on what you find from the forensic analysis.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Robert Bridge]

On Mon, Aug 9, 2010 at 8:09 PM, Mick <michaelkintzios@gmail.com> wrote:
> There have been discussions on this list why sudo is a bad idea and sudo on
> *any* command is an even worse idea. You might as well be running everything
> as root, right?

sudo normally logs the command executed, and the account which
executes it, so while not relevant for single user systems, it STILL
has benefits over running as root.

RobbieAB

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Bill Longman]

On 08/09/2010 01:08 PM, Robert Bridge wrote:
> On Mon, Aug 9, 2010 at 8:09 PM, Mick <michaelkintzios@gmail.com> wrote:
>> There have been discussions on this list why sudo is a bad idea and sudo on
>> *any* command is an even worse idea. You might as well be running everything
>> as root, right?
> 
> sudo normally logs the command executed, and the account which
> executes it, so while not relevant for single user systems, it STILL
> has benefits over running as root.

...excepting, of course, "sudo bash -l" which means you've given away
the keys to the kingdom.

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Kevin O'Gorman]

[-- Attachment #1: Type: text/plain, Size: 772 bytes --]

On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman <bill.longman@gmail.com> wrote:

> On 08/09/2010 01:08 PM, Robert Bridge wrote:
> > On Mon, Aug 9, 2010 at 8:09 PM, Mick <michaelkintzios@gmail.com> wrote:
> >> There have been discussions on this list why sudo is a bad idea and sudo
> on
> >> *any* command is an even worse idea. You might as well be running
> everything
> >> as root, right?
> >
> > sudo normally logs the command executed, and the account which
> > executes it, so while not relevant for single user systems, it STILL
> > has benefits over running as root.
>
> ...excepting, of course, "sudo bash -l" which means you've given away
> the keys to the kingdom.
>
> I actually prefer "sudo su -" -- as long as I'm giving it away!  :o)


-- 
Kevin O'Gorman, PhD

[-- Attachment #2: Type: text/html, Size: 1230 bytes --]

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[William Hubbs]

On Mon, Aug 09, 2010 at 05:30:40PM -0700, Kevin O'Gorman wrote:
> On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman <bill.longman@gmail.com> wrote:
> 
> > On 08/09/2010 01:08 PM, Robert Bridge wrote:
> > > On Mon, Aug 9, 2010 at 8:09 PM, Mick <michaelkintzios@gmail.com> wrote:
> > >> There have been discussions on this list why sudo is a bad idea and sudo
> > on
> > >> *any* command is an even worse idea. You might as well be running
> > everything
> > >> as root, right?
> > >
> > > sudo normally logs the command executed, and the account which
> > > executes it, so while not relevant for single user systems, it STILL
> > > has benefits over running as root.
> >
> > ...excepting, of course, "sudo bash -l" which means you've given away
> > the keys to the kingdom.
> >
> > I actually prefer "sudo su -" -- as long as I'm giving it away!  :o)

Afaik, there is no reason for "sudo su -"  It should be either

su -

or, if you are using sudo, 

sudo -i

The disadvantage of "su -" is that it requires the user to know the root
password.  But, "sudo -i" does the same thing without requiring the user
to know the root password.

William

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Alan McKinnon]

On Tuesday 10 August 2010 03:18:05 William Hubbs wrote:
> On Mon, Aug 09, 2010 at 05:30:40PM -0700, Kevin O'Gorman wrote:
> > On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman <bill.longman@gmail.com> 
wrote:
> > > On 08/09/2010 01:08 PM, Robert Bridge wrote:
> > > > On Mon, Aug 9, 2010 at 8:09 PM, Mick <michaelkintzios@gmail.com> 
wrote:
> > > >> There have been discussions on this list why sudo is a bad idea and
> > > >> sudo
> > > 
> > > on
> > > 
> > > >> *any* command is an even worse idea. You might as well be running
> > > 
> > > everything
> > > 
> > > >> as root, right?
> > > > 
> > > > sudo normally logs the command executed, and the account which
> > > > executes it, so while not relevant for single user systems, it STILL
> > > > has benefits over running as root.
> > > 
> > > ...excepting, of course, "sudo bash -l" which means you've given away
> > > the keys to the kingdom.
> > > 
> > > I actually prefer "sudo su -" -- as long as I'm giving it away!  :o)
> 
> Afaik, there is no reason for "sudo su -"  It should be either
> 
> su -
> 
> or, if you are using sudo,
> 
> sudo -i

So what is the difference between "sudo -i" and "sudo su -" then? Please be 
precise.


> The disadvantage of "su -" is that it requires the user to know the root
> password.  But, "sudo -i" does the same thing without requiring the user
> to know the root password.

You seem to have confused ideas about authentication and authorization. They 
are not the same thing and harder is not always better.

I have 100+ machines (all distinctly different) that my team runs and sudo is 
on all of them. They all have a root password but no-one knows it anymore, 
it's tucked away nice in the safe just in case the whole team dies in a plane 
crash.

Meanwhile, we know each user is authenticated - ssh let them in with the right 
key, which they managed to unlock. To run a command as root, they must re-
authenticate with their password (unused till this point) and then they can do 
their jobs. We also know that they are authorized - this is the entire point 
of /etc/sudoers and it has no other purpose than authorizing users to do 
things what, when and where.

Knowing a root password is simply a second factor of authentication. It might 
as well be their own password. Well-known root password opens a security can 
of worms anyway and you don;t want to do where that leads.

So tell me again why sudo su - is inherently bad? Other than three extra 
keystrokes that is? And what about sudo implementations that don't support -i?



-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Kevin O'Gorman]

[-- Attachment #1: Type: text/plain, Size: 1368 bytes --]

On Mon, Aug 9, 2010 at 6:18 PM, William Hubbs <williamh@gentoo.org> wrote:

> On Mon, Aug 09, 2010 at 05:30:40PM -0700, Kevin O'Gorman wrote:
> > On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman <bill.longman@gmail.com>
> wrote:
> > > I actually prefer "sudo su -" -- as long as I'm giving it away!  :o)
>
> Afaik, there is no reason for "sudo su -"  It should be either
>
> su -
>
> or, if you are using sudo,
>
> sudo -i
>
> The disadvantage of "su -" is that it requires the user to know the root
> password.  But, "sudo -i" does the same thing without requiring the user
> to know the root password.
>
> You either didn't think or didn't actually try it.   "sudo su -" needs a
password, but it's the
user password.  Running su as root never needs a password.  Accordingly,
this works on
a stock Ubuntu with no root password.

"su -" requires the root password unless you're already root, and the root
password may or may not exist.

I didn't know about "sudo -i" (thanks), but when I tried "sudo -i" it
immediately asked for a password, for which
the user password was sufficient.  So it's entirely equivalent to but
slightly shorter than my version.  I'll stick with
mine because it's made of parts I already know and won't forget.

I think that if sudoers don't need to enter passwords, they're still
equivalent, but I have  not tried this.

-- 
Kevin O'Gorman, PhD

[-- Attachment #2: Type: text/html, Size: 2005 bytes --]

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Alan McKinnon]

On Tuesday 10 August 2010 15:03:19 Kevin O'Gorman wrote:
> On Mon, Aug 9, 2010 at 6:18 PM, William Hubbs <williamh@gentoo.org> wrote:
> > On Mon, Aug 09, 2010 at 05:30:40PM -0700, Kevin O'Gorman wrote:
> > > On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman <bill.longman@gmail.com>
> > 
> > wrote:
> > > > I actually prefer "sudo su -" -- as long as I'm giving it away!  :o)
> > 
> > Afaik, there is no reason for "sudo su -"  It should be either
> > 
> > su -
> > 
> > or, if you are using sudo,
> > 
> > sudo -i
> > 
> > The disadvantage of "su -" is that it requires the user to know the root
> > password.  But, "sudo -i" does the same thing without requiring the user
> > to know the root password.
> > 
> > You either didn't think or didn't actually try it.   "sudo su -" needs a
> 
> password, but it's the
> user password.  Running su as root never needs a password.  Accordingly,
> this works on
> a stock Ubuntu with no root password.
> 
> "su -" requires the root password unless you're already root, and the root
> password may or may not exist.
> 
> I didn't know about "sudo -i" (thanks), but when I tried "sudo -i" it
> immediately asked for a password, for which
> the user password was sufficient.  So it's entirely equivalent to but
> slightly shorter than my version.  I'll stick with
> mine because it's made of parts I already know and won't forget.
> 
> I think that if sudoers don't need to enter passwords, they're still
> equivalent, but I have  not tried this.

Sounds to me like he's whinging about sudo and not much else. I find this to 
be common and far too  many people advancing the idea can't define to me basic 
security concepts. I have also yet to meet someone with a beef against sudo 
that can show a fundamental weakness with it, and I'm not talking about an 
isolated case of buffer overflow either - that can happen with any software. I 
mean a weakness in the methodology of sudo itself.

Many people have a stuck idea in their heads that the root password is a magic 
security bullet. In fact, it's no such thing. Like any other password it is 
simply something you need to prove you know in order to to authenticate 
yourself. The major threat by analysis on a workstation is stepping away for a 
leak and forgetting to lock the screen. sudo is adequate protection against 
this as long as more than 5 minutes have elapsed since the last sudo was run - 
the prankster may have access to the machine but still does not know any 
password, including yours. A major threat to finding passwords is shoulder 
surfing. If one frequently enters the root password, it is equally easy for a 
shoulder surfer to find it as to find the user's password. Note that if you 
leave your workstation unlocked with a root session open, there is no such 
timeout as what one has with sudo.

Additionally, on a shared machine (i.e. server at work), the root password has 
to be shared which is a huge hole in itself due to the difficulty of 
communicating the new password when it is changed. It is trivially easy to 
communicate a single password for a single user and guarantee it stays secure 
(major advances in cryptanalysis excepted).


-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Hazen Valliant-Saunders]

[-- Attachment #1: Type: text/plain, Size: 4684 bytes --]

On Tue, Aug 10, 2010 at 2:50 PM, Alan McKinnon <alan.mckinnon@gmail.com>wrote:

> On Tuesday 10 August 2010 15:03:19 Kevin O'Gorman wrote:
> > On Mon, Aug 9, 2010 at 6:18 PM, William Hubbs <williamh@gentoo.org>
> wrote:
> > > On Mon, Aug 09, 2010 at 05:30:40PM -0700, Kevin O'Gorman wrote:
> > > > On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman <bill.longman@gmail.com
> >
> > >
> > > wrote:
> > > > > I actually prefer "sudo su -" -- as long as I'm giving it away!
>  :o)
> > >
> > > Afaik, there is no reason for "sudo su -"  It should be either
> > >
> > > su -
> > >
> > > or, if you are using sudo,
> > >
> > > sudo -i
> > >
> > > The disadvantage of "su -" is that it requires the user to know the
> root
> > > password.  But, "sudo -i" does the same thing without requiring the
> user
> > > to know the root password.
> > >
> > > You either didn't think or didn't actually try it.   "sudo su -" needs
> a
> >
> > password, but it's the
> > user password.  Running su as root never needs a password.  Accordingly,
> > this works on
> > a stock Ubuntu with no root password.
> >
> > "su -" requires the root password unless you're already root, and the
> root
> > password may or may not exist.
> >
> > I didn't know about "sudo -i" (thanks), but when I tried "sudo -i" it
> > immediately asked for a password, for which
> > the user password was sufficient.  So it's entirely equivalent to but
> > slightly shorter than my version.  I'll stick with
> > mine because it's made of parts I already know and won't forget.
> >
> > I think that if sudoers don't need to enter passwords, they're still
> > equivalent, but I have  not tried this.
>
> Sounds to me like he's whinging about sudo and not much else. I find this
> to
> be common and far too  many people advancing the idea can't define to me
> basic
> security concepts. I have also yet to meet someone with a beef against sudo
> that can show a fundamental weakness with it, and I'm not talking about an
> isolated case of buffer overflow either - that can happen with any
> software. I
> mean a weakness in the methodology of sudo itself.
>
> Many people have a stuck idea in their heads that the root password is a
> magic
> security bullet. In fact, it's no such thing. Like any other password it is
> simply something you need to prove you know in order to to authenticate
> yourself. The major threat by analysis on a workstation is stepping away
> for a
> leak and forgetting to lock the screen. sudo is adequate protection against
> this as long as more than 5 minutes have elapsed since the last sudo was
> run -
> the prankster may have access to the machine but still does not know any
> password, including yours. A major threat to finding passwords is shoulder
> surfing. If one frequently enters the root password, it is equally easy for
> a
> shoulder surfer to find it as to find the user's password. Note that if you
> leave your workstation unlocked with a root session open, there is no such
> timeout as what one has with sudo.
>
> Additionally, on a shared machine (i.e. server at work), the root password
> has
> to be shared which is a huge hole in itself due to the difficulty of
> communicating the new password when it is changed. It is trivially easy to
> communicate a single password for a single user and guarantee it stays
> secure
> (major advances in cryptanalysis excepted).
>
>
> --
> alan dot mckinnon at gmail dot com
>
> Good Luck getting people to change them frequently and haveing your techs
and it departments meeting complexity and length policy.

Remeber the only secure system is off and disconnected.

If you are willing to use it you must apriase the community of the risk of
failure; and plan for said risk.

Most projects I've enjoyed had various password books usually encrypted with
a "God" key for each department and it's respective responsbile area.

Then those keys become an issue in and of themselfs; then it's a matter of
procedural control. When the admin or admins leave, change them.

Sounds simple, but far too rarely as it happens in pratice that I've headed
to a client I haven't visited in a decade or so and find the same password I
once used by guessing.

Wich always rings true for me as a means to ensure disclosure is to those
that I trust; or would trust.

The discretionary access model in Gentoo is nice and to be expected; what
I'd really like is a way to have my groups integrate from whichever
directory service I'm using to meet the DAC mappings required on the local
machine so I can enable RBAC or some other Lattice based control with local
admins and limit their functions to thier jobs in an EASY fashon.

Regards,
-- 
Hazen Valliant-Saunders

[-- Attachment #2: Type: text/html, Size: 5695 bytes --]

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Peter Humphrey]

On Tuesday 10 August 2010 20:22:13 Hazen Valliant-Saunders wrote:
> Good Luck getting people to change them frequently and haveing your
> techs and it departments meeting complexity and length policy.
> 
> Remeber the only secure system is off and disconnected.

I hope you know whom you're talking to here.

-- 
Rgds
Peter.          Linux Counter 5290, 1994-04-23.

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Stroller]

On 10 Aug 2010, at 20:22, Hazen Valliant-Saunders wrote:
> ...
> Good Luck getting people to change them frequently and haveing your  
> techs and it departments meeting complexity and length policy.

I'm pretty sure that's a trivial setting for expiration policy and a  
PAM plugin or option to enforce complexity.

Stroller.

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Dale]

Stroller wrote:
>
> On 10 Aug 2010, at 20:22, Hazen Valliant-Saunders wrote:
>> ...
>> Good Luck getting people to change them frequently and haveing your 
>> techs and it departments meeting complexity and length policy.
>
> I'm pretty sure that's a trivial setting for expiration policy and a 
> PAM plugin or option to enforce complexity.
>
> Stroller.
>

Thing about changing passwords to often, the person forgets what the 
password is.  I have a good strong password for my bank and credit 
card.  If I had to change it every month, six months or something, I 
would set it to something simple so that I could remember what the 
password is.   Then I would write it down to help me remember it as well.

Changing the password often can actually lead to other issues.

Dale

:-)  :-)

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Alan McKinnon]

On Wednesday 11 August 2010 20:16:42 Dale wrote:
> Stroller wrote:
> > On 10 Aug 2010, at 20:22, Hazen Valliant-Saunders wrote:
> >> ...
> >> Good Luck getting people to change them frequently and haveing your
> >> techs and it departments meeting complexity and length policy.
> > 
> > I'm pretty sure that's a trivial setting for expiration policy and a
> > PAM plugin or option to enforce complexity.
> > 
> > Stroller.
> 
> Thing about changing passwords to often, the person forgets what the
> password is.  I have a good strong password for my bank and credit
> card.  If I had to change it every month, six months or something, I
> would set it to something simple so that I could remember what the
> password is.   Then I would write it down to help me remember it as well.
> 
> Changing the password often can actually lead to other issues.


I refuse to implement password expiration policies and have a vast array of 
literature to back me up when some dimwit damager gets on his expiration high 
horse.

My users pick their own passwords - I present a list of 5 from apg and let 
them pick one. Accounts do expire if they go unused for 90 days, but not 
passwords.

What put me onto this policy? I found Gartner recommending password 
expiration. I find the best security possible is always the opposite of what 
Gartner says. Discovering how the AD admins in the company go about their jobs 
was the convincing straw :-)


-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice - AKA passwords

[Bill Longman]

On 08/11/2010 01:30 PM, Alan McKinnon wrote:

> I refuse to implement password expiration policies and have a vast array of 
> literature to back me up when some dimwit damager gets on his expiration high 
> horse.
> 
> My users pick their own passwords - I present a list of 5 from apg and let 
> them pick one. Accounts do expire if they go unused for 90 days, but not 
> passwords.
> 
> What put me onto this policy? I found Gartner recommending password 
> expiration. I find the best security possible is always the opposite of what 
> Gartner says. Discovering how the AD admins in the company go about their jobs 
> was the convincing straw :-)

The bigger buggerboo I see is the "password complexity" [il]logic.
There's this vapid requirement of all these different types of
characters needed in one's password, yet the thing you really want to
enforce is adequate entropy. If my password is an entire sentence, it
will not be brute-forced, even if I used just ASCII A-z. There's just
too much key space in 4.7^32. At 10^5 attempts per second, you're likely
to find the answer in half a billion years. I hope your keyboard still
works, let alone exists....

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice - AKA passwords

[Alan McKinnon]

On Thursday 12 August 2010 00:11:12 Bill Longman wrote:
> On 08/11/2010 01:30 PM, Alan McKinnon wrote:
> > I refuse to implement password expiration policies and have a vast array
> > of literature to back me up when some dimwit damager gets on his
> > expiration high horse.
> > 
> > My users pick their own passwords - I present a list of 5 from apg and
> > let them pick one. Accounts do expire if they go unused for 90 days, but
> > not passwords.
> > 
> > What put me onto this policy? I found Gartner recommending password
> > expiration. I find the best security possible is always the opposite of
> > what Gartner says. Discovering how the AD admins in the company go about
> > their jobs was the convincing straw :-)
> 
> The bigger buggerboo I see is the "password complexity" [il]logic.
> There's this vapid requirement of all these different types of
> characters needed in one's password, yet the thing you really want to
> enforce is adequate entropy. If my password is an entire sentence, it
> will not be brute-forced, even if I used just ASCII A-z. There's just
> too much key space in 4.7^32. At 10^5 attempts per second, you're likely
> to find the answer in half a billion years. I hope your keyboard still
> works, let alone exists....

Your reasoning makes sense, until you consider password length limits imposed 
by machines.

Cisco routers authenticating via Tacacs for instance often support nothing 
more than DES hashing <yuck>. The hash routines accept up to 10 characters for 
a password but only use the first 8 to calculate the hash.

There are Solaris version nowhere near EOL yet that have similar limits.

All this makes my life as a system integrator cum authenticate go-to guy very 
tricky indeed. Luckily management tends to say "Just do what Alan says. It 
makes him shut up and go away".

:-)

p.s. dig the use of "vapid". Wonderful word, truly splendid. Communicates in 5 
letters something that takes paragraphs any other way. I shall make a note for 
future use.

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice - AKA passwords

[Bill Longman]

[-- Attachment #1: Type: text/plain, Size: 2435 bytes --]

On Wed, Aug 11, 2010 at 4:09 PM, Alan McKinnon <alan.mckinnon@gmail.com>wrote:

> On Thursday 12 August 2010 00:11:12 Bill Longman wrote:
> > On 08/11/2010 01:30 PM, Alan McKinnon wrote:
> > > I refuse to implement password expiration policies and have a vast
> array
> > > of literature to back me up when some dimwit damager gets on his
> > > expiration high horse.
> > >
> > > My users pick their own passwords - I present a list of 5 from apg and
> > > let them pick one. Accounts do expire if they go unused for 90 days,
> but
> > > not passwords.
> > >
> > > What put me onto this policy? I found Gartner recommending password
> > > expiration. I find the best security possible is always the opposite of
> > > what Gartner says. Discovering how the AD admins in the company go
> about
> > > their jobs was the convincing straw :-)
> >
> > The bigger buggerboo I see is the "password complexity" [il]logic.
> > There's this vapid requirement of all these different types of
> > characters needed in one's password, yet the thing you really want to
> > enforce is adequate entropy. If my password is an entire sentence, it
> > will not be brute-forced, even if I used just ASCII A-z. There's just
> > too much key space in 4.7^32. At 10^5 attempts per second, you're likely
> > to find the answer in half a billion years. I hope your keyboard still
> > works, let alone exists....
>
> Your reasoning makes sense, until you consider password length limits
> imposed
> by machines.
>
> Cisco routers authenticating via Tacacs for instance often support nothing
> more than DES hashing <yuck>. The hash routines accept up to 10 characters
> for
> a password but only use the first 8 to calculate the hash.
>
> There are Solaris version nowhere near EOL yet that have similar limits.
>
> All this makes my life as a system integrator cum authenticate go-to guy
> very
> tricky indeed. Luckily management tends to say "Just do what Alan says. It
> makes him shut up and go away".
>
> :-)
>
> p.s. dig the use of "vapid". Wonderful word, truly splendid. Communicates
> in 5
> letters something that takes paragraphs any other way. I shall make a note
> for
> future use.
>
> --
> alan dot mckinnon at gmail dot com
>
> Absolutely. If you do not change your ENCRYPT_METHOD or your PASS_MAX_LEN
in your login.defs file and are still relying on the back end's ability to
safely store your passwords in DES format, well, you're in trouble.

[-- Attachment #2: Type: text/html, Size: 3070 bytes --]

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Stroller]

On 11 Aug 2010, at 21:30, Alan McKinnon wrote:
> ...
> My users pick their own passwords - I present a list of 5 from apg  
> and let
> them pick one

apg's results seem awfully unmemorable by default.

I tend to prefer random password generators that create pronounceable  
nonsense words, by stringing together random syllables, rather that  
just letters.

Do you know if apg can do that? I'm sure it's in the manpage, so  
forgive me for not parsing it at this time of the morning.

Stroller.

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Alan McKinnon]

On Thursday 12 August 2010 15:01:12 Stroller wrote:
> On 11 Aug 2010, at 21:30, Alan McKinnon wrote:
> > ...
> > My users pick their own passwords - I present a list of 5 from apg
> > and let
> > them pick one
> 
> apg's results seem awfully unmemorable by default.
> 
> I tend to prefer random password generators that create pronounceable
> nonsense words, by stringing together random syllables, rather that
> just letters.
> 
> Do you know if apg can do that? I'm sure it's in the manpage, so
> forgive me for not parsing it at this time of the morning.

Yes, it can do that. It's for that reason I use it.

The command I use is:

$ apg -m8 -x8 -MCNL
Badnack9
VeOsFid5
JucWeac9
EowtUzt1
SceybEf8
ByejCys1

passwords are 8 chars simply because some elements of the environment have 
that limitation. As you can see, the passwords tend to be pronounceable. And 
many, many tests run have convinced me that the passwords have sufficient 
entropy to be good enough - good enough being defined as "john the ripper 
didn't brute force it in 48 hours"



-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Peter Humphrey]

On Thursday 12 August 2010 20:21:23 Alan McKinnon wrote:

> The command I use is:
> 
> $ apg -m8 -x8 -MCNL
> Badnack9
> VeOsFid5
> JucWeac9
> EowtUzt1
> SceybEf8
> ByejCys1

After following this thread I emerged apg, thinking it looked useful. 
But according to the man page and apg --help, the only upper-case 
options are N and E. No M. This is version 2.3.0b-r4; which version are 
you using?

-- 
Rgds
Peter.          Linux Counter 5290, 1994-04-23.

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Alan McKinnon]

On Thursday 12 August 2010 21:43:17 Peter Humphrey wrote:
> On Thursday 12 August 2010 20:21:23 Alan McKinnon wrote:
> > The command I use is:
> > 
> > $ apg -m8 -x8 -MCNL
> > Badnack9
> > VeOsFid5
> > JucWeac9
> > EowtUzt1
> > SceybEf8
> > ByejCys1
> 
> After following this thread I emerged apg, thinking it looked useful.
> But according to the man page and apg --help, the only upper-case
> options are N and E. No M. This is version 2.3.0b-r4; which version are
> you using?


[I] app-admin/apg
     Available versions:  2.3.0b-r4 {cracklib}
     Installed versions:  2.3.0b-r4(15:30:43 10/06/10)(cracklib)
     Homepage:            http://www.adel.nursat.kz/apg/
     Description:         Another Password Generator


I think you're reading the man page wrong. Look under -M


-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Stroller]

On 11 Aug 2010, at 19:16, Dale wrote:
> Stroller wrote:
>>
>> On 10 Aug 2010, at 20:22, Hazen Valliant-Saunders wrote:
>>> ...
>>> Good Luck getting people to change them frequently and haveing  
>>> your techs and it departments meeting complexity and length policy.
>>
>> I'm pretty sure that's a trivial setting for expiration policy and  
>> a PAM plugin or option to enforce complexity.
>
> Thing about changing passwords to often, the person forgets what the  
> password is.

Then don't change it with frequency.

It was Mr Valliant-Saunders who seemed to be saying that that is  
difficult to enforce, and I was merely replying to him.

Stroller.

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Dale]

Stroller wrote:
>
> On 11 Aug 2010, at 19:16, Dale wrote:
>> Stroller wrote:
>>>
>>> On 10 Aug 2010, at 20:22, Hazen Valliant-Saunders wrote:
>>>> ...
>>>> Good Luck getting people to change them frequently and haveing your 
>>>> techs and it departments meeting complexity and length policy.
>>>
>>> I'm pretty sure that's a trivial setting for expiration policy and a 
>>> PAM plugin or option to enforce complexity.
>>
>> Thing about changing passwords to often, the person forgets what the 
>> password is.
>
> Then don't change it with frequency.
>
> It was Mr Valliant-Saunders who seemed to be saying that that is 
> difficult to enforce, and I was merely replying to him.
>
> Stroller.
>

For some reason I missed the original of his.  I still can't find it 
even tho it is quoted here.  My reply wasn't to you but just a "general" 
reply.  Most of my replies are "general".

Nothing aimed at you tho.

Dale

:-)  :-)

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Stroller]

On 10 Aug 2010, at 19:50, Alan McKinnon wrote:
> ... The major threat by analysis on a workstation is stepping away  
> for a
> leak and forgetting to lock the screen. sudo is adequate protection  
> against
> this as long as more than 5 minutes have elapsed since the last sudo  
> was run - ...

And I seem to recall the 5 minute grace period can be changed or  
removed in it sudo's settings.

There was a big furore about this in the "Mac community" a couple of  
years ago, before someone pointed out that sudo existed and was  
established on Linux, too.

Stroller.

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Alan McKinnon]

On Wednesday 11 August 2010 18:58:02 Stroller wrote:
> On 10 Aug 2010, at 19:50, Alan McKinnon wrote:
> > ... The major threat by analysis on a workstation is stepping away
> > for a
> > leak and forgetting to lock the screen. sudo is adequate protection
> > against
> > this as long as more than 5 minutes have elapsed since the last sudo
> > was run - ...
> 
> And I seem to recall the 5 minute grace period can be changed or
> removed in it sudo's settings.
> 
> There was a big furore about this in the "Mac community" a couple of
> years ago, before someone pointed out that sudo existed and was
> established on Linux, too.
> 
> Stroller.


And the clueless nutjobs on Ubuntu had exactly the same furore when Warty came 
out 6 years ago. And every other distro before that. And every other *nix 
before that right back to when sudo was released for the first time.

Every time it's the same. Rant! Rave! Go ballistic about ..... about .... I 
dunno .... weird stuff about sudo!!!!!! Not a friggin brain cell amongst the 
lot of them.

I've developed a savage delight in systematically dismantling people's 
objections to sudo and showing how clueless they usually are. People who do 
understand sudo and know it doesn't fit their needs never seem to rant about 
it :-)


-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Dale]

Robert Bridge wrote:
> On Mon, Aug 9, 2010 at 8:09 PM, Mick<michaelkintzios@gmail.com>  wrote:
>    
>> There have been discussions on this list why sudo is a bad idea and sudo on
>> *any* command is an even worse idea. You might as well be running everything
>> as root, right?
>>      
> sudo normally logs the command executed, and the account which
> executes it, so while not relevant for single user systems, it STILL
> has benefits over running as root.
>
> RobbieAB
>
>    

I don't use sudo here but I assume a admin would only know that a nasty 
command has been ran well after it was ran?  Basically, after the damage 
has been done, you can go look at the logs and see the mess some hacker 
left behind.  For me, that isn't a whole lot of help.  You still got 
hacked, you still got to reinstall and check to make sure anything you 
copy over is not infected.

Assuming that they can erase dmesg, /var/log/messages and other log 
files, whose to say the sudo logs aren't deleted too?  Then you still 
have no records to look at.

I agree with the other posters tho, re-install from scratch and re-think 
your security setup.

Dale

:-)  :-)

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1630 bytes --]

On Monday 09 August 2010 21:25:37 Dale wrote:
> Robert Bridge wrote:
> > On Mon, Aug 9, 2010 at 8:09 PM, Mick<michaelkintzios@gmail.com>  wrote:
> >> There have been discussions on this list why sudo is a bad idea and sudo
> >> on *any* command is an even worse idea. You might as well be running
> >> everything as root, right?
> > 
> > sudo normally logs the command executed, and the account which
> > executes it, so while not relevant for single user systems, it STILL
> > has benefits over running as root.
> > 
> > RobbieAB
> 
> I don't use sudo here but I assume a admin would only know that a nasty
> command has been ran well after it was ran?  Basically, after the damage
> has been done, you can go look at the logs and see the mess some hacker
> left behind.  For me, that isn't a whole lot of help.  You still got
> hacked, you still got to reinstall and check to make sure anything you
> copy over is not infected.
> 
> Assuming that they can erase dmesg, /var/log/messages and other log
> files, whose to say the sudo logs aren't deleted too?  Then you still
> have no records to look at.
> 
> I agree with the other posters tho, re-install from scratch and re-think
> your security setup.

That's the problem with any compromise worth its salt, all logs will be 
tampered to clear traces of interfering with your system.  Monitoring network 
traffic from a healthy machine is a good way to establish suspicious activity 
on the compromised box and it also helps checking for open ports (nmap, or 
netcat) to find out what's happening to the compromised box.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Dale]

Mick wrote:
> On Monday 09 August 2010 21:25:37 Dale wrote:
>    
>> Robert Bridge wrote:
>>      
>>> On Mon, Aug 9, 2010 at 8:09 PM, Mick<michaelkintzios@gmail.com>   wrote:
>>>        
>>>> There have been discussions on this list why sudo is a bad idea and sudo
>>>> on *any* command is an even worse idea. You might as well be running
>>>> everything as root, right?
>>>>          
>>> sudo normally logs the command executed, and the account which
>>> executes it, so while not relevant for single user systems, it STILL
>>> has benefits over running as root.
>>>
>>> RobbieAB
>>>        
>> I don't use sudo here but I assume a admin would only know that a nasty
>> command has been ran well after it was ran?  Basically, after the damage
>> has been done, you can go look at the logs and see the mess some hacker
>> left behind.  For me, that isn't a whole lot of help.  You still got
>> hacked, you still got to reinstall and check to make sure anything you
>> copy over is not infected.
>>
>> Assuming that they can erase dmesg, /var/log/messages and other log
>> files, whose to say the sudo logs aren't deleted too?  Then you still
>> have no records to look at.
>>
>> I agree with the other posters tho, re-install from scratch and re-think
>> your security setup.
>>      
> That's the problem with any compromise worth its salt, all logs will be
> tampered to clear traces of interfering with your system.  Monitoring network
> traffic from a healthy machine is a good way to establish suspicious activity
> on the compromised box and it also helps checking for open ports (nmap, or
> netcat) to find out what's happening to the compromised box.
>
>    

Yep, cause when they are in the system, they can do what they want.  
Once they get root privileges, nothing else matters after that.  It's 
just a matter of the clean up which from what I have always read is a 
reinstall.  It's not good to hear but it's the best way to know for sure 
you are safe.

Me tho, I would start from scratch and not even chroot into the old 
install.  I might mount and try to read a log file or copy my world file 
but that would be about it.  I'm not sure I would trust anything else.   
I just hope this never happens to me.  :/

Dale

:-)  :-)

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Philip Webb]

100809 Robert Bridge wrote:
> On Mon, Aug 9, 2010 at 8:09 PM, Mick <michaelkintzios@gmail.com> wrote:
>> There have been discussions on this list why sudo is a bad idea
>> and sudo on *any* command is an even worse idea.
>> You might as well be running everything as root, right?
> sudo normally logs the command executed and the account which executes it,
> so while not relevant for single user systems,
> it STILL has benefits over running as root.

I follow  2  simple rules:
(1) never start X as root -- I open in a raw terminal, then 'startx',
so it's ok to login there as root to get some system fixes done,
but of course logout again before starting X as user --
& (2) do all system stuff in a virtual root terminal on its own desktop,
where the prompt says 'root' in red letters & the background is black
(my user terminal has a white background): that's down in the basement,
where all the pipes & wires are & you need a hard hat & safety boots
& you need to unlock the basement door, whose key is the root password.

also, my user terminal says :

  524: gx> which sudo
  which: no sudo in (/sbin:/usr/sbin:/usr/local/sbin::/bin:/usr/bin:/usr/local/bin:/usr/kde/3.5/bin)

-- 
========================,,============================================
SUPPORT     ___________//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT    `-O----------O---'   purslowatchassdotutorontodotca

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Paul Hartman]

On Mon, Aug 9, 2010 at 2:09 PM, Mick <michaelkintzios@gmail.com> wrote:
> On Monday 09 August 2010 17:25:56 Paul Hartman wrote:
>> My user account has sudo-without-password rights to any command.
>
> Ouch!
>

Having still not physically touched the machine yet, I don't know if
sudo had anything to do with it at all at this point. But I'll assume
for a moment that its use was perhaps involved...

> There have been discussions on this list why sudo is a bad idea and sudo on
> *any* command is an even worse idea. You might as well be running everything
> as root, right?

Essentially. I did not think it through from an internally-defensive
standpoint. I only thought of sudo as "I am deciding whether to run
this command as user or as root". Assuming *I* would be the only one
running a program on my computer. My thinking was clearly flawed
there... The idea of an attacker being in my system didn't really
enter my mind. Or an untrusted program shelling out and running "sudo
some-bad-stuff" without my knowing. Every sudo command is logged,
sure, but as Bill pointed out that only works for as long as it takes
someone to sudo himself into a root shell (or delete the logs). I
don't really audit the sudo logs regularly because of the stupid
assumption that I was the only one running any sudo commands.

> You have decided wisely to reinstall because you can't be sure of this OS
> anymore.

I'm most concerned about learning how this happened because I don't
want to reinstall everything only to be compromised again, and with
the hope that perhaps any info I find can help others avoid finding
themselves in this same situation. If I'm only going to re-create the
exact same set-up, I don't know if I can be sure of it then even after
reinstalling...

> Please keep us updated on what you find from the forensic analysis.

Sudo was one of the first things that popped into my head. sshd is
really the only service open to the outside. Some other ports are open
for specific apps, like bittorrent traffic, which is what I was
monitoring when I noticed the suspicious activity -- and I was
downloading a Linux ISO, I swear. My original plans for tonight were
to install Sabayon on an old laptop that is becoming unmanageable from
a Gentoo standpoint due to infrequent use and days-long update
sessions. I'll put that little project on hold for now...

My sshd setup is pubkey only, no root logins, and I use denyhosts to
block after 3 failed logins, and it syncs its blocklist from the
denyhosts master server many times a day. I use NX Server, but not
with the default key, and I don't think there have been any (publicly
disclosed) remotely-exploitable opensshd vulnerabilities that would
allow an attacker direct entry into a system. I haven't noticed
anything out of place on my system, no unusual files or missing items.
I take infrequent peeks at my ssh logs, w/who/last and network traffic
(as I did today when I discovered it), but I am not religious about
reading every log. Life has been quite busy lately and I haven't had
as much time to dedicate to that sort of stuff.  I has been more like
log on, check my email, pay my bills, log off.

So, from that outside-entry standpoint I was certainly lulled into a
false sense of security about my system. My root account has a very
long and complicated password, and my user account was surely
"impenetrable" since I was using pubkey-only SSH logins, right...  I
have encrypted partitions, but they are mounted when the system is up
and running, so they are really pointless against an "online"
attack...

Typing that long password into sudo every time I ran a command was a
hassle, and clearly I thought myself too intelligent to ever run a
malicious piece of code on my own computer. I mean, that's the kind of
thing I would never do. I'm careful. I usually look at things before I
run them, scan them with clamscan (not that I run outside
scripts/binaries very often at all). Right? And what if a
seemingly-safe program decided to download and run malware on its own?
What if there was a vulnerability that was exploited before it was
discovered & patched by the community (and my Gentoo update cycle)?
What if there was a rogue Firefox add-on stealing passwords or running
shell scripts? That would probably never happen, surely someone else
would have noticed it and put a stop to it before it got to me, or I
would have read a warning about it in the tech news someplace. Yeah,
I'm being a bit sarcastic here. ;)

I do hope I can find some evidence that leads me to the point of
entry. It would set my mind at ease.

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Frank Steinmetzger]

[-- Attachment #1: Type: Text/Plain, Size: 916 bytes --]

Am Dienstag, 10. August 2010 schrieb Paul Hartman:

> Typing that long password into sudo every time I ran a command was a
> hassle

I’ve never used sudo, and never really liked the idea of it. In fact I’m 
always amused and slightly annoyed by the sheer amount of sudo one can find in 
your typical ubuntu howto. ;-)

It’s one reason why I abstained from installing Truecrypt 6, because it 
requires sudo (Yes I know, in default setup you can’t do much with it. It is 
but an issue of principle). However, because I need root commands regularly 
(for example to initiate the VPN to my uni’s WiFi), I usually have one tab in 
Yakuake where I do a normal su once after login.

And for more safety on my part, I also use different prompts: red hostname for 
root console, green user@hostname for nonroot.
-- 
Gruß | Greetings | Qapla'
What’s right is right, otherwise it’d be wrong.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Indexer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 10/08/2010, at 11:44 AM, Frank Steinmetzger wrote:

> Am Dienstag, 10. August 2010 schrieb Paul Hartman:
> 
>> Typing that long password into sudo every time I ran a command was a
>> hassle
> 
> I’ve never used sudo, and never really liked the idea of it. In fact I’m 
> always amused and slightly annoyed by the sheer amount of sudo one can find in 
> your typical ubuntu howto. ;-)
> 
> It’s one reason why I abstained from installing Truecrypt 6, because it 
> requires sudo (Yes I know, in default setup you can’t do much with it. It is 
> but an issue of principle). However, because I need root commands regularly 
> (for example to initiate the VPN to my uni’s WiFi), I usually have one tab in 
> Yakuake where I do a normal su once after login.
> 
> And for more safety on my part, I also use different prompts: red hostname for 
> root console, green user@hostname for nonroot.
> -- 
> Gruß | Greetings | Qapla'
> What’s right is right, otherwise it’d be wrong.

I hope you realise the use of "sudo -i" will give you a root shell just like su. The reason sudo is preferred is that it means between multiple administrators, you can eliminate the need for a shared password. sudo can also control who and what groups can access sudo, and even subsets of commands.

sudo also has a "grace timer" in which once you prove your identity with your password once, you can use sudo without a password for a period of time after that. This can also be canceled with sudo -k

In terms of system administration best practices, sudo is the way to go. You will see it used in all server administration tasks to escalate privileges, in a secure manner.

William Brown

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iQIcBAEBAgAGBQJMYLhgAAoJEHF16AnLoz6JhJ8QAL5SO5DRmcQ3wXLdtMZooACu
WT4qyfKBnfMqakLJlSWYOH6tuIoK/mVYpeCpQmjpTuKaE90tnLnngCOVnG7puyqG
LkPBNew3iOsO0JJcNzCcMiwWQ1C7d2hkSyNl48FVwBwaVgbPmWL6flPLxwHxdbU1
O2Kke8ku2dAVRTg9NdnPnTcc7y1h2/VYLwqSY10ybHS4I6a7YuhEIeGZtCqfEZ6d
0WkbUaU2IJFEVskR2pRV3Oh8FOgjW1XpYPzGrzQgpByghVgDxalFpC89g3xVw2ue
bbRZNcn6NfZnfS/ltsCLr0mzSkV9xUXtYJkSQWN2jZbXM5rr+5gQXk1CqYLeDkjS
4HFST6bFfUUl7KMlo/mfH7PSD3Coa1J/DwcZFM9xkMx/sTy/TDsQhG1Qgb5jSn4u
/TVYRwkvNj/KXBolDPcEQkZ6h35R8h9gGFRaW9u1+O2YyLC8uOyFUhd0iHNo0+s0
r4Q0wiwnY7I5CI2ZQ5h2blbYzqyvgSa43rYp3rho9cp4LktDKO2qfoIW/CV/0Q6r
NmWcuzaU17QTAQn8VL2SUfG0zqXgCI4NlQcU8iNnYFRGUTvdx4crjzrgIqYm2rc+
PbpFuLl4Uz000hsQYXWfy9hwIMbxilT4F9AOpKmyU392GZ/22WUvoMk2uhzt8aCf
w44gvZvW1e44buFM2L/z
=AR4J
-----END PGP SIGNATURE-----

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Walter Dnes]

On Tue, Aug 10, 2010 at 04:14:41AM +0200, Frank Steinmetzger wrote
> Am Dienstag, 10. August 2010 schrieb Paul Hartman:
> 
> > Typing that long password into sudo every time I ran a command was a
> > hassle
> 
> I???ve never used sudo, and never really liked the idea of it. In
> fact I???m always amused and slightly annoyed by the sheer amount
> of sudo one can find in your typical ubuntu howto. ;-)

  There are some things that have to be done as root, but are needed by
a regular user.  E.g. I have a backup dialup account with 295.ca (guess
how much they charge per month <G>).  When using it, I not only have to
run "pon", but I also have to copy over the correct ssmtp.conf settings
for my dialup ISP.  My ~/bin/udialup (USB dialup) script reads like so...

#!/bin/bash
/usr/bin/sudo /bin/cp -f /etc/ssmtp/295.ssmtp.conf /etc/ssmtp/ssmtp.conf
/usr/bin/sudo /usr/sbin/pon u295.ca

  When I exit, I have to copy back the ssmtp.conf that points to my
broadband ISP's MTU.  My ~/bin/dialdown script reads like so...

#!/bin/bash
/usr/bin/sudo /usr/sbin/poff
/usr/bin/sudo /bin/cp -f /etc/ssmtp/teksavvy.ssmtp.conf /etc/ssmtp/ssmtp.conf

  This is after I figured out how to use "metric" in my network config
so that ppp0 and eth0 could co-exist side by side.  ppp0 can talk to the
outside world via the dialup modem, while eth0 *SIMULTANEOUSLY* talks to
my other machines on 192.168.123.248/29 (aka 192.168.123.240 netmask
255.255.255.240).  Before that, my udialup script had to tear down eth0,
and dialdown had to restart it.  Here are some of the entries in
/etc/sudoers on my machine "i3"...

waltdnes    i3 = (root) NOPASSWD: /bin/cp -f /etc/ssmtp/295.ssmtp.conf /etc/ssmtp/ssmtp.conf
waltdnes    i3 = (root) NOPASSWD: /usr/sbin/pon 295.ca
waltdnes    i3 = (root) NOPASSWD: /usr/sbin/poff
waltdnes    i3 = (root) NOPASSWD: /bin/cp -f /etc/ssmtp/teksavvy.ssmtp.conf /etc/ssmtp/ssmtp.conf
waltdnes    i3 = (root) NOPASSWD: /sbin/poweroff
waltdnes    i3 = (root) NOPASSWD: /usr/bin/rdate time.nrc.ca -s
waltdnes    i3 = (root) NOPASSWD: /sbin/hwclock --systohc
waltdnes    i3 = (root) NOPASSWD: /usr/sbin/hibernate

  This gives me the power to do specific root-level stuff as a regular
user, without giving away the keys to the kingdom.  Note that none of
the entries accepts any parameters, let alone $*.  Also. specifying the
path prevents running the wrong executable with root-level privileges.

-- 
Walter Dnes <waltdnes@waltdnes.org>

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Dale]

Walter Dnes wrote:
> On Tue, Aug 10, 2010 at 04:14:41AM +0200, Frank Steinmetzger wrote
>    
>> Am Dienstag, 10. August 2010 schrieb Paul Hartman:
>>
>>      
>>> Typing that long password into sudo every time I ran a command was a
>>> hassle
>>>        
>> I???ve never used sudo, and never really liked the idea of it. In
>> fact I???m always amused and slightly annoyed by the sheer amount
>> of sudo one can find in your typical ubuntu howto. ;-)
>>      
>    There are some things that have to be done as root, but are needed by
> a regular user.  E.g. I have a backup dialup account with 295.ca (guess
> how much they charge per month<G>).  When using it, I not only have to
> run "pon", but I also have to copy over the correct ssmtp.conf settings
> for my dialup ISP.  My ~/bin/udialup (USB dialup) script reads like so...
>
> #!/bin/bash
> /usr/bin/sudo /bin/cp -f /etc/ssmtp/295.ssmtp.conf /etc/ssmtp/ssmtp.conf
> /usr/bin/sudo /usr/sbin/pon u295.ca
>
>    When I exit, I have to copy back the ssmtp.conf that points to my
> broadband ISP's MTU.  My ~/bin/dialdown script reads like so...
>
> #!/bin/bash
> /usr/bin/sudo /usr/sbin/poff
> /usr/bin/sudo /bin/cp -f /etc/ssmtp/teksavvy.ssmtp.conf /etc/ssmtp/ssmtp.conf
>
>    This is after I figured out how to use "metric" in my network config
> so that ppp0 and eth0 could co-exist side by side.  ppp0 can talk to the
> outside world via the dialup modem, while eth0 *SIMULTANEOUSLY* talks to
> my other machines on 192.168.123.248/29 (aka 192.168.123.240 netmask
> 255.255.255.240).  Before that, my udialup script had to tear down eth0,
> and dialdown had to restart it.  Here are some of the entries in
> /etc/sudoers on my machine "i3"...
>
> waltdnes    i3 = (root) NOPASSWD: /bin/cp -f /etc/ssmtp/295.ssmtp.conf /etc/ssmtp/ssmtp.conf
> waltdnes    i3 = (root) NOPASSWD: /usr/sbin/pon 295.ca
> waltdnes    i3 = (root) NOPASSWD: /usr/sbin/poff
> waltdnes    i3 = (root) NOPASSWD: /bin/cp -f /etc/ssmtp/teksavvy.ssmtp.conf /etc/ssmtp/ssmtp.conf
> waltdnes    i3 = (root) NOPASSWD: /sbin/poweroff
> waltdnes    i3 = (root) NOPASSWD: /usr/bin/rdate time.nrc.ca -s
> waltdnes    i3 = (root) NOPASSWD: /sbin/hwclock --systohc
> waltdnes    i3 = (root) NOPASSWD: /usr/sbin/hibernate
>
>    This gives me the power to do specific root-level stuff as a regular
> user, without giving away the keys to the kingdom.  Note that none of
> the entries accepts any parameters, let alone $*.  Also. specifying the
> path prevents running the wrong executable with root-level privileges.
>
>    


I used to use wvdial as well as pon and I don't recall having to be 
root.  I added myself the dial-up group if I recall correctly.  It just 
worked for me.

I also don't use sudo here either.  ;-)

Dale

:-)  :-)

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Walter Dnes]

On Tue, Aug 10, 2010 at 09:16:20PM -0500, Dale wrote

> I used to use wvdial as well as pon and I don't recall having to be 
> root.  I added myself the dial-up group if I recall correctly.  It just 
> worked for me.
> 
> I also don't use sudo here either.  ;-)

  As I mentioned, I also have to copy a new ssmtp.conf.  I'm aware of
the -C option for ssmtp, but then I'd have to muck around with mutt when
switching between ADSL and dialup.  This way, mutt doesn't care.  It
"just works".

-- 
Walter Dnes <waltdnes@waltdnes.org>

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Dale]

Walter Dnes wrote:
> On Tue, Aug 10, 2010 at 09:16:20PM -0500, Dale wrote
>
>    
>> I used to use wvdial as well as pon and I don't recall having to be
>> root.  I added myself the dial-up group if I recall correctly.  It just
>> worked for me.
>>
>> I also don't use sudo here either.  ;-)
>>      
>    As I mentioned, I also have to copy a new ssmtp.conf.  I'm aware of
> the -C option for ssmtp, but then I'd have to muck around with mutt when
> switching between ADSL and dialup.  This way, mutt doesn't care.  It
> "just works".
>
>    

Ahhhh, so it's not pon that needs the permissions but another program.  
That makes sense.  Sort of had me confused for a minute.

Don't worry, I have those minutes a lot.  lol   They sometimes pass 
pretty quick but some take a bit longer.

Dale

:-)  :-)

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Keith Dart]

On Mon, 9 Aug 2010 18:07:15 -0500
Paul Hartman <paul.hartman+gentoo@gmail.com> wrote:

> I do hope I can find some evidence that leads me to the point of
> entry. It would set my mind at ease.

Please let us know. I'm really curious about this also. I hope it
wasn't a trojaned package in portage.

-- 
-- ------------------------------
Keith Dart
=================================

Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 1238 bytes --]

> Alternatively I was running vulnerable/compromised software. My box
> has sshd running, root login in ssh is not allowed, and pubkey only
> logins (no passwords). It is behind a wireless router but port 22 is
> open and pointing to this box, and a few others needed by other
> applications. So I will check out which keys exist on the compromised
> machine and make sure I recognize them all. I'll also need to check
> the status of any other computer my key is stored on (a mix of linux &
> windows, and my mobile phone). Sigh...
>

Since you're sshd setup is pretty secure i'd look at other network services.
What else was running, and were there any servers that were only available
from the local net (or were less protected from connections from the local
net) than the Internet? That's the only case where a router compromise would
assist in attacking your gentoo box.

There have been some web browser based attacks that have come out against
routers recently. They run the attack on your browser (cross site scripting
IIRC) to get access to the web interface of the router because that is
typically not available via the Internet side interface. Then then run a
password guessing attack. Did your router have a strong password?

[-- Attachment #2: Type: text/html, Size: 1474 bytes --]