(Free 7.2) "su -l" didnt prompt password.Is it possbile?
Jason Hellenthal
jhellenthal at dataix.net
Mon Jun 18 14:43:03 UTC 2012
On Mon, Jun 18, 2012 at 05:31:54PM +0400, Budnev Vladimir wrote:
> Hello everyone.
> We'v noticed some strange situation. After reboot and login, system
> didn't ask for password while switchig with su -l.
>
> In details, there was root login from terminal and one from ssh.
> Terminal login was directly as root(via ip-console), and ssh was as
> user, then attemped switch to root with su -l, and there were NO
> password request,no prompt at all. At the same time login from terminal
> accepted root password, first I thought that means password wasn't
> empty, but system even with empty password should print "Password:"..and
> that time it was nothing absolultey. We even logged out and then su -l
> again.
>
> And It looked such way:
>
> %su -l
> St-serv#
> St-serv# exit
> %su -l
> St-serv#
>
> We'v been shocked and hurried a bit and changed root password without
> /etc/master.passwd backup for explorations.
> After chagning password we cant no reprocude such behaviour.
>
> It's also should be noticed that system was booting after unsafe power
> shutdown, and there was fs-check running in background(accroding to
> logs), corrected cleared some files(searching by inum resulted to nothing).
>
> sysctl -a gave such string:
> <118>Starting background file system checks in 60 seconds.
> <118>
>
> and in /var/log/messages we could see:
> Jun 15 14:57:39 St-serv kernel: em0: link state changed to UP
> Jun 15 14:57:49 St-serv login: ROOT LOGIN (root) ON ttyv0
> Jun 15 14:58:47 St-serv fsck: /dev/ad0s1e: 71 files, 11 used, 2538508
> free (84 frags, 317303 blocks, 0.0% fragmentation)
> Jun 15 15:02:31 St-serv fsck: /dev/ad0s1f: 264646 files, 1378041 used,
> 60368113 free (43545 frags, 7540571 blocks, 0.1% fragmentation)
> Jun 15 15:03:31 St-serv su: zimmer to root on /dev/ttyp0
> Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT
> I=1931747 (897632 should be 897600) (CORRECTED)
> Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT
> I=1931748 (1865184 should be 1865120) (CORRECTED)
> Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT
> I=2284637 (4 should be 0) (CORRECTED)
> Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT
> I=2284713 (4 should be 0) (CORRECTED)
> Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: UNREF FILE I=23557
> OWNER=root MODE=100644
> Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: SIZE=0 MTIME=Jun 9 18:51
> 2012 (CLEARED)
> Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: UNREF FILE I=1931319
> OWNER=root MODE=100640
> Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: SIZE=728 MTIME=Jul 26 17:37
> 2011 (CLEARED)
> <...>
>
>
> I'v googled and found only one thread with su didnt'asking for password,
> that one was abut jails, but this time we have a 100% garanty that we
> didnt put any virtual enviroments.
>
> So the thing that scares is, mb this is symptop of server rootkit? (We'v
> found nothing unusual in logs but it means nothing...) Or there is some
> other explanation why su could not ask password?
>
The only thing I can think of ATM is .. did you recently perform and
upgrade from source with this system ? mergemaster ?
The reason why I ask is that when doing such things the master.passwd is
compared to the default master.passwd which has no passowrd set. If a
merge when wrong then there is a possibility that it was set back to
defaults by accident.
I also see that your system booted up and did a fsck(8). There is a
chance that something wierd happened here as well.
>
> Thanks in advance
>
> PS Duplicated question to freebsd-questions and freebsd-security because
> unsure which one it should be send.
>
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
--
- (2^(N-1))
More information about the freebsd-questions
mailing list