in openpam_load_module(): no pam_unix.so found

Victor Star freebsd at victorstar.com
Tue Sep 25 11:06:01 PDT 2007 

Hi Mike,

Now, before I got a chance to try it out it suddenly works again.
As good of a new as it is, I don't really like things fixing themselves without my knowledge of
what's going on... Looks like a good time to start learning about rootkits. Of course there is a
possibility of some resource-related issue, but I would expect at least to see something in
messages, or other log files....

I'll keep this email for future in case it happens again.

Thank you for your help!

Victor

> On Mon, Sep 24, 2007 at 09:29:08AM -0400, Victor Star wrote:
>> ==- 8< -========================================================================
>> fireball# ldd /usr/lib/pam_unix.so
>> /usr/lib/pam_unix.so:
>>         libutil.so.5 => /lib/libutil.so.5 (0x28167000)
>>         libcrypt.so.3 => /lib/libcrypt.so.3 (0x28173000)
>>         libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818b000)
>>         libpam.so.3 => /usr/lib/libpam.so.3 (0x2818f000)
>> fireball# ldd /usr/lib/pam_unix.so.3
>> /usr/lib/pam_unix.so.3:
>>         libutil.so.5 => /lib/libutil.so.5 (0x28167000)
>>         libcrypt.so.3 => /lib/libcrypt.so.3 (0x28173000)
>>         libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818b000)
>>         libpam.so.3 => /usr/lib/libpam.so.3 (0x2818f000)

> Hmm. That all looks ok.	

> The relevant code inside openpam[1] does something like

> dlopen(OPENPAM_MODULES_DIR . "/pam_unix.so.3", RTLD_NOW)

> and if that fails, tries

> dlopen(OPENPAM_MODULES_DIR . "/pam_unix.so", RTLD_NOW)

> Both of these must have failed when su ran.  

> It may be worth compiling the following:

> : mike at wafer:~ ; cat dlopentest.c 
> #include <dlfcn.h>
> #include <stdio.h>

> int
> main (int argc, char **argv) {

>         void *dlh;

>         dlh = dlopen(argv[1], RTLD_NOW);
>         if (dlh) {
>                 printf("dlopen %s worked\n", argv[1]);
>         } else {
>                 printf("dlopen %s failed: %s\n", argv[1], dlerror());
>         }
>         return 0;
> }
> : mike at wafer:~ ; make dlopentest
> cc -O2 -fno-strict-aliasing -pipe -march="pentium3"  dlopentest.c  -o dlopentest
> : mike at wafer:~ ; ./dlopentest /usr/lib/pam_unix.so
> dlopen /usr/lib/pam_unix.so worked
> : mike at wafer:~ ; ./dlopentest /usr/lib/pam_unix.so.3
> dlopen /usr/lib/pam_unix.so.3 worked
> : mike at wafer:~ ; ./dlopentest /usr/lib/pam_kasjajsk.so
> dlopen /usr/lib/pam_kasjajsk.so failed: Cannot open "/usr/lib/pam_kasjajsk.so"
> : mike at wafer:~ ;

> this may give you a clue as to why the dlopen failed.  If that
> doesn't point at a problem, then recompile su with _openpam_debug
> = 1, and setup syslog to log LOG_DEBUG messages somewhere and see
> what happens.


> [1] assuming a version of FreeBSD suitably similar to the one I
> have here, of course.



>> 
>> ==- 8< -========================================================================
>> 
>> As for when it stopped working - the first thing I did is trying to recall if I updated any ports.
>> I've even went so far as looking for all files in /usr/ modified within the date range, but no,
>> nothing.
>> 
>> I did update php5 couple days before that. But it still worked for about two days after that.
>> And I don't have apache/php opened to outside anyway. Just mail ports and ssh on high port (closed
>> it for now for just in case anyway).
>> 
>> Victor
>> 
>> >> ====- 8< -===================================================
>> >> su: in openpam_load_module(): no pam_unix.so found
>> >> su: pam_start: system error
>> >> ====- 8< -===================================================
>> >> 
>> >> pam_unix.so is in /usr/lib:
>> >> ====- 8< -===================================================
>> >> # ls -l /usr/lib/pam_unix*
>> >> lrwxr-xr-x  1 root  wheel     13 Sep 25  2006 /usr/lib/pam_unix.so -> pam_unix.so.3
>> >> -r--r--r--  1 root  wheel  10240 Feb 19  2007 /usr/lib/pam_unix.so.3
>> >> # file /usr/lib/pam_unix.so
>> >> /usr/lib/pam_unix.so: symbolic link to `pam_unix.so.3'
>> >> ====- 8< -===================================================
>> 
>> > First, this is how a problem should be described, great work.
>> 
>> > When openpam can't load a module, it also print's the 'not found' message.
>> > With 'ldd /usr/lib/pam_unix.so.3' you can see if all the libraries that
>> > it needs are in place. On my systems it give's the following output:
>> 
>> > $ ldd /usr/lib/pam_unix.so.3 
>> > /usr/lib/pam_unix.so.3:
>> >         libutil.so.5 => /lib/libutil.so.5 (0x28169000)
>> >         libcrypt.so.3 => /lib/libcrypt.so.3 (0x28175000)
>> >         libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818d000)
>> >         libpam.so.3 => /usr/lib/libpam.so.3 (0x28191000)
>> 
>> >> ====- 8< -===================================================
>> >> Sep 18 11:11:37 xxxxxx su: BAD SU <myloginname> to root on /dev/ttyp3
>> >> Sep 18 11:13:46 xxxxxx sshd[45047]: Bad protocol version identification '\377\364\377\375\006quit' from <some ip here>
>> >> Sep 18 11:15:08 xxxxxx sshd[45056]: Received disconnect from <some ip here>: 2: Bad packet length 710099706.
>> >> ====- 8< -===================================================
>> 
>> > The first line is probably the result of the broken pam_unix.so, the
>> > other two lines look to me as ssh bruteforce attacks.
>> 
>> > But, when did it stopped working. Did you tried to update the world or something like that?
>> 
>> 
>> 
>> -- 
>> Best regards,
>>  Victor                          
>> 
>> _______________________________________________
>> freebsd-stable at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"



-- 
Best regards,
 Victor

More information about the freebsd-stable mailing list