Berkeley CSUA MOTD:Entry 15021
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/04/04 [General] UID:1000 Activity:popular
4/4     

1998/11/25 [Computer/SW/OS/Linux] UID:15021 Activity:very high
11/24   Linux question:
                One of our linux servers at work allows anyone to type "su" to
                become root.  Someone did this and changed the root password
                from it's default state of not having a password to having
                a password.  To make a long story short, someone else was
                still logged in as root and erased the entry in the
                /etc/shadow file, so we no longer have the problem.  However,
                how do you determine which user/IP address the change
                originated from?  Keep in mind that the time stamp was changed
                once we fixed the /etc/shadow file, so we can't use the
                original time stamp to help track anyone down.
                \_ I don't suppose you have a sulog, or even /var/log/messages
                  syslog messages reporting successes/failures of su commands?
                \_ of course a good hacker who knows what they're doing will
                   have erased all trace of themselves, and installed
                   something fun like the RootKit, assuring future backdoor
                   access to them and their buddies.
                        \_ you don't need to be a particularly good hacker
                           to break into a linux machine with a blank root
                           password.  Christ, set a password and get on
                           with your life.  -tom
                \_ No root password?  You are fucking stupid and deserve
                   what you get.  SET A FUCKING PASSWORD!  Use sudo if you
                   must.  You're running your unix box like a win95 machine.
                   Even if you do find logs, you can't believe what they say.
                   A malicious person wouldn't have erased all traces but
                   changed the logs to point to _someone else_.  Go hire a
                   real SA and stop letting engineers play root.  It isn't
                   a game.
                \_ Well, thank you for missing the point and responding with
                all the lunacy of a religious zealot.  For god's sake, we're
                behind a firewall, and even if we had a root password, it
                would be told to most everyone anyway.  The linux box is used
                as a test server.  It's ok that it's running "like a win95
                   \_ Something you failed to mention.
                machine".  And it wasn't a goddamn hacker, ok?  What kind of
                                \_ No one said it was.  They said you're
                                   stupid.
                idiot would hack his way behind the firewall, figure out
                        \_ A malicious employee who already works on that
                           side of the firewall.
                someones' login/password, go to superuser, hack at the system,
                cover his tracks, and then change the root password so we
                would become immediately suspicious?
                THINK, IDIOTS, THINK!  The simple, original question, was:
                Can you tell who logged in, then typed su, and then ran
                passwd.  var/log/messages says root did it, and gives a number
                that I'm guessing is the PID.  Can you then tie the PID to
                a user or IP?  Thank you and I apologize for being cranky,
                but it is COMPLETELY unproductive to yell about passwords,
                etc, it doesn't answer the question.  Would you respond to
                "if johnny has $150, and wants to buy a $200 raiders jacket,
                does he have enough money?" with "THE RAIDERS SUCK! JOHNNY'S
                A LOSER!  ARGGGH!"  no, you wouldn't.  Good lord, this is basic
                life skills 101 people.  Oh, also, there's no "sulog". Thanks.
2025/04/04 [General] UID:1000 Activity:popular
4/4     

You may also be interested in these entries...
2013/2/19-3/26 [Computer/SW/OS/OsX] UID:54611 Activity:nil
2/19    I program a lot by sshing to a Linux cluster.  So I'm used to using
        Xemacs to code.  This works fine from a Linux or Windows workstation,
        but sometimes I have to use a Mac.  On Mac, the meta is usually
        bound to option, but that often doesn't work over ssh for some reason.
        This makes using emacs a real pain.  Any suggestions on how to fix it?
        (Other than "use vi")
	...
2012/8/28-11/7 [Computer/HW/Memory] UID:54466 Activity:nil
8/26    Amazon medium instances (3.75GB RAM): 0.160/hour = $1382/year
        Generic standard Linux VPS (4GB RAM): $480/year
        Amazon costs more (but does offer superior scaling options).
        \_ Amazon is $670 if you buy a year's usage up front (heavy util).
           Why is heavy util less expensive than light util?
	...
2012/1/4-2/6 [Computer/HW/Drives] UID:54281 Activity:nil
1/4     I want to test how my servers behave during a disk failure and
        a RAID reconstruction so I want to simulate a hardware failure.
        How can I do this in Linux without having to physically pull
        a drive? These disks are behind a RAID card and run Linux. -ausman
        \_ According to the Linux RAID wiki, you might be able to use mdadm
           to do this with something like the following:
	...
2010/7/21-8/9 [Computer/SW/OS/FreeBSD] UID:53890 Activity:nil
7/21    Can I just use ifconfig to expand my netmask on a FreeBSD box?
        Are there any gotchas here? Linux forces me to restart my network
        to expand my netmask.
        \_ yes... and no, you don't have to restart your network on linux either
           \_ Rebooting is the Ubootntoo way!
              \_ Oooboot'n'tootin!
	...
2010/7/22-8/9 [Computer/SW/OS/FreeBSD, Computer/HW/Drives] UID:53893 Activity:nil
7/22    Playing with dd if=/dev/random of=/dev/<disk> on linux and bsd:
        2 questions, on linux when <disk>==hda it always gives me this off
        by one report i.e. Records out == records in-1 and says there is an
        error. Has anyone else seen this?  Second, when trying to repeat this
        on bsd, <disk>==rwd0 now, to my surprise, using the install disk and
        selecting (S)hell, when I try to dd a 40 gig disk it says "409 records
	...
2010/5/26-6/30 [Computer/SW/Unix/WindowManager, Computer/SW/OS/OsX] UID:53844 Activity:nil
5/26    anyone use lxde?  supposedly it is less stupid than xfce and
        less bloated than gnome.  thoughts?
        \_ lol, does anyone still use desktop linux?  Get with the times
           buy a mac.  Now.  DO IT.  Go NOW.
           \_ but we prefer herring to Kool-Aid
              \_ "you have to yell, he's hard of herring"
	...
2010/5/6-26 [Computer/SW/OS/Windows] UID:53818 Activity:low
5/5     Does anyone know how to do custom install of Ubuntu 10.04? I can't
        even boot it up to give me the menu to custom install and it
        keeps installing a bunch of crap I don't need. It's getting
        just as slow and bloated as Winblows install. Dear lord,
        I miss the old Ubuntu.
5/5=1.0 Numerology FTW.    5+5=10
	...
2010/4/22-5/10 [Computer/SW/Languages/Misc] UID:53797 Activity:nil
4/22    In Linux is there an easy way to rename the scripts in /etc/rc?.d ?
        For example I want to set all the /etc/rc?.d/S91apache to S100apache
        so that it'll run the ramdisk BEFORE going to apache.
        \_ Sure, just move them.
           \_ I mean is there a script that will rename all of them
              for me? Like: setrc apache2 0 0 1 1 1 1
	...