|
Password Security:
Examine the /etc/passwd file on the system and check the modifications to that file. In particular, look for the unauthorized creation of new accounts, accounts with no passwds, or UID changes ( especially UID 0) to
existing accounts.
johnsmith:naVwowMManasMMo:10:200:John Smith:/users/johnsmith:/bin/bash
^ ^ ^ ^ ^ ^ ^
| | | | | | +- User's
| | | | | | shell program
| | | | | +---- User's home directory
| | | | +----------------- User's real name
| | | +------------------------- User number
| | +----------------------------- User's group number
| +--------------------------------------- Hash of user's password
+--------------------------------------------------- Username
- Username is the name under which the user logs in. Usually this is
accomplished by typing in the username at the username prompt and then
the password at the password prompt.
- Hash of user's password is the target of the cracking method. This is
what the hash of each word in the dictionary file is compared to.
- User's group number determines things such as access to certain files,
etc. Used more in the exploit technique
- User's number is basically identification for the system.
- User's real name is the name the user entered. Not used by the system,
but it provides a handy human-readable id of each user.
- User's home directory is the directory that they go to when they log
into the system.
EOF.
Security continued...
Check your system and network configuration files for unauthorized entries. In particular, look for '+' (plus sign) entries and inappropriate non-local host names in /etc/hosts.equiv, /etc/hosts.lpd, and in all
.rhosts files (especially root, uucp, ftp, and other system accounts) on the system. These files should not be world-writable. Furthermore, confirm that these files existed prior to any intrusion and were not
created by the intruder.
Look everywhere on the system for unusual or hidden files (files that start with a period and are normally not shown by 'ls'), as these can be used to ide tools and information (password cracking programs, password
files from other systems, etc.). A common technique on UNIX systems is to put a hidden directory in a user's account with an unusual name, something like '...' or '.. ' (dot dot space) or '..^G' (dot dot control-G).
Again, the find(1) program can be used to look for hidden files, for example:
find / -name ".. " -print -xdev
find / -name ".*" -print -xdev | cat -v
note: /tmp/... and /etc/... are most commonly used for "script kiddies" favourite tool dir.
Finding setuid & setgid files:
Look for setuid and setgid files (especially setuid root files) everywhere on your system. Intruders often leave setuid copies of /bin/sh or /bin/time around to allow them root access at a later time. The UNIX
find(1) program can be used to hunt for setuid and/or setgid files. For example, you can use he following commands to find setuid root files and setgid kmem files on the entire file system:
find / -user root -perm -4000 -print
find / -group kmem -perm -2000 -print
Note that the above examples search the entire directory tree, including NFS/AFS mounted file systems. Some find(1) commands support an "-xdev" option to avoid searching those hierarchies. For example:
find / -user root -perm -4000 -print -xdev
At this point you need to make sure all the directories where users can write are either mounted "-nosuid" or have been chmod'ed in such way that only root user can write to them. By default FreeBSD will
have only one you should be concerned with: /var/spool/uucppublic You can either mount your /var filesystem "-nosuid" or just do:
chmod o-w /var/spool/uucppublic
If you want to find all your writable directories, issue:
find / -perm -0777 -type d -ls
As the man page points out, having an suid/sgid wrapper will make mounting your other filesystems nosuid useless. Find out what files are installed on your system as suid or guid. To do that use find(1):
find / -perm -2000 -ls
find / -perm -4000 -ls
Note: This is NOT a total secure system audit. This is only a a safeyt reference.
Done by obscure_
|
