(Free 7.2) "su -l" didnt prompt password.Is it possbile?

Jason Hellenthal jhellenthal at dataix.net
Mon Jun 18 14:43:03 UTC 2012



On Mon, Jun 18, 2012 at 05:31:54PM +0400, Budnev Vladimir wrote:
> Hello everyone.
> We'v noticed some strange situation. After reboot and login, system 
> didn't ask for password while switchig with su -l.
> 
> In details, there was root login from terminal and one from ssh.
> Terminal login was directly as root(via ip-console), and ssh was as 
> user, then attemped switch to root with su -l, and there were NO 
> password request,no prompt at all. At the same time login from terminal 
> accepted root password, first I thought that means password wasn't 
> empty, but system even with empty password should print "Password:"..and 
> that time it was nothing absolultey. We even logged out and then su -l 
> again.
> 
> And It looked such way:
> 
> %su -l
> St-serv#
> St-serv# exit
> %su -l
> St-serv#
> 
> We'v been shocked and hurried a bit and changed root password without 
> /etc/master.passwd backup for explorations.
> After chagning password we cant no reprocude such behaviour.
> 
> It's also should be noticed that system was booting after unsafe power 
> shutdown, and there was fs-check running in background(accroding to 
> logs), corrected cleared some files(searching by inum resulted to nothing).
> 
> sysctl -a gave such string:
> <118>Starting background file system checks in 60 seconds.
> <118>
> 
> and in /var/log/messages we could see:
> Jun 15 14:57:39 St-serv kernel: em0: link state changed to UP
> Jun 15 14:57:49 St-serv login: ROOT LOGIN (root) ON ttyv0
> Jun 15 14:58:47 St-serv fsck: /dev/ad0s1e: 71 files, 11 used, 2538508 
> free (84 frags, 317303 blocks, 0.0% fragmentation)
> Jun 15 15:02:31 St-serv fsck: /dev/ad0s1f: 264646 files, 1378041 used, 
> 60368113 free (43545 frags, 7540571 blocks, 0.1% fragmentation)
> Jun 15 15:03:31 St-serv su: zimmer to root on /dev/ttyp0
> Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT 
> I=1931747 (897632 should be 897600) (CORRECTED)
> Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT 
> I=1931748 (1865184 should be 1865120) (CORRECTED)
> Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT 
> I=2284637 (4 should be 0) (CORRECTED)
> Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT 
> I=2284713 (4 should be 0) (CORRECTED)
> Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: UNREF FILE I=23557  
> OWNER=root MODE=100644
> Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: SIZE=0 MTIME=Jun  9 18:51 
> 2012  (CLEARED)
> Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: UNREF FILE I=1931319  
> OWNER=root MODE=100640
> Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: SIZE=728 MTIME=Jul 26 17:37 
> 2011  (CLEARED)
> <...>
> 
> 
> I'v googled and found only one thread with su didnt'asking for password, 
> that one was abut jails, but this time we have a 100% garanty that we 
> didnt put any virtual enviroments.
> 
> So the thing that scares is, mb this is symptop of server rootkit? (We'v 
> found nothing unusual in logs but it means nothing...) Or there is some 
> other explanation why su could not ask password?
> 

The only thing I can think of ATM is .. did you recently perform and
upgrade from source with this system ? mergemaster ?

The reason why I ask is that when doing such things the master.passwd is
compared to the default master.passwd which has no passowrd set. If a
merge when wrong then there is a possibility that it was set back to
defaults by accident.

I also see that your system booted up and did a fsck(8). There is a
chance that something wierd happened here as well.

> 
> Thanks in advance
> 
> PS Duplicated question to freebsd-questions and freebsd-security because 
> unsure which one it should be send.
> 
> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

-- 

 - (2^(N-1))


More information about the freebsd-questions mailing list