Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Linux Security Question : Root Password


  • Please log in to reply
11 replies to this topic

#1 Agent_Orange

Agent_Orange

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane, Australia
  • Local time:05:17 AM

Posted 16 May 2016 - 01:33 AM

Hi all, I came across an article in relation to compromising a Linux system with ease and was wondering if someone could take a look at it and advise if it makes sense and is useful in helping to strenghten your machine's security.

Here is the link for the article : http://www.tecmint.com/how-to-hack-your-own-linux-system/

 

I simply do not know enough about Linux or what this chap is talking about to know if what is being suggested is sound.

Below is a simple example of what I mean

 

 

Now using ‘passwd‘ command we can change the root password. And once you have root password you owns the Linux Machine.

 

Does Linux allow you to change a Root password without actually knowing what the current root password is? (seems like that is what is being suggested here).

 

I would really like to know more about protecting my machine above and beyond the simple measures that i already have in place (i.e an uncomplicated firewall with some added rules, no script for my firefox browser, permissions set to read only for my files, router reset to default factory settings regulalry and have set up a password for my BIOS).

 

Any help with the above or security tips to help strengthen overall system security would be greatly apprieciated.

Thank you.



BC AdBot (Login to Remove)

 


#2 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 16 May 2016 - 01:56 AM

You raise an interesting point there.....I have not yet read the article.....but I did type passwd into terminal, it then asked for the current password, (it does not display the password when it is typed in linux), and only then asked for the new password.

 

As a newcomer to linux I will be more than interested in others replies.


Condobloke ...Outback Australian  fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

“A man travels the world in search of what he needs and returns home to find it."

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

 GcnI1aH.jpg

 

 


#3 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:06:17 AM

Posted 16 May 2016 - 01:59 AM

Let me put it this way, If I have physical access to your machine I can do what ever I like, The easiest way is to boot from live media and mount the hard Drive, From there I can do anything including change root password. This also applies to Windows and Mac.

 

The only way to prevent the above is with full disk encryption.



#4 Agent_Orange

Agent_Orange
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane, Australia
  • Local time:05:17 AM

Posted 16 May 2016 - 02:06 AM

Thaks for your responses.

NickAu, so this chap and his article assumes that the person has physical access to the machine?

Could this access be gained another way?

For example, if a Trojan that is designed for Linux lands on your machine and provides the attacker with access to it via a back door - can I assume that the attacker in this instance can do exactly as you state above?

 

PS. I have read the aritcles that you have posted in relation to security, they are helpful, however, I am looking foir Linux specific security ( I don't care about Secunia, Anti Virus etc) - could you point to a good post that has Linux specific security tips and advice?

 

Thank you.


Edited by Agent_Orange, 16 May 2016 - 02:13 AM.


#5 mremski

mremski

  • Members
  • 498 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:03:17 PM

Posted 16 May 2016 - 02:08 AM

Reading the article, it was much what I expected.  The first "trick" is reboot, stop in GRUB, edit the command line, boot into single user mode and run the passwd command.  The second is reboot, stop in GRUB, modify the command line, boot into a bash shell and run the passwd command.

 

The author of the article forgot:

Reboot the system into a Live CD or USB, mount the old root partition, replace the contents of the passwd file with something you know.  Or add a new user to the wheel group.

 

As Nick says, if someone has physical access to your system, they can do what they want.  Notice that all the "tricks" the author enumerated require physical access, they are not remote exploits.

 

That said there are valid points in the article, the biggest one is implied:

If your system reboots make sure you know why.  If you leave it on all the time, a simple uptime will tell you, otherwise take a look a the output of dmesg, looking for indications of a reboot.  

 

If your system is completely setup and you do not need to add new passwords:

chmod a-w on /etc/passwd and related files (shadow password file, etc)  so it can't be written

chmod a-x on /usr/bin/passwd (it may be in a different place) so it can't be executed

 

Agent_Orange:

One could edit the grub.conf file, set it up to boot into single user, and  reboot the machine remotely, but then they can't complete the second part remotely.  If they have that ability, they would simply modify the passwd file remotely.  Single user does not bring up network interfaces.

Remotely edit the grub.conf to boot into bash, and reboot: again, yes, but without physical access they can't do the remaining steps because, the network interfaces are down.  Once more, if they can remotely edit grub.conf, they would do other things to get access.


Edited by mremski, 16 May 2016 - 02:12 AM.

FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#6 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:06:17 AM

Posted 16 May 2016 - 02:13 AM

The author says.

 

Press any key to interrupt the boot, as soon as Linux machine boots and you will get a GRUB menu.

This means sitting in front of the machine so physical access is needed in this case.

 

Could a trojan do similar, I do not know, However I do know that once a trojan is on your system the hacker has access to your machine and can do anything, This also applies to Windows and Mac, With Windows being the most vulnerable.



#7 Agent_Orange

Agent_Orange
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane, Australia
  • Local time:05:17 AM

Posted 16 May 2016 - 02:52 AM

Thank you very much for your responses - very helpful of you guys.

 

 

I have used a Linux OS for approx. two years now but have not spent enough time on learning about the machine that I am using.

 

For me Linux was a secure, low maintenence alternative to Windows in that Anti Virus , Malware & Spyware software are not needed (and therefore are not going to placing a drain on your PC's resources) that there is no requirement for pain in the butt tasks like disk defragmentation and no need for a host of third party software like Secunia.

 

I am a little suspicious that my machine has or is compromised but do not know how to invesitgate on a Linux OS.

 

In the past using Windows I would simply wipe the HDD and reinstall the OS (using Combo Fix etc was just too time consuming, too messy and could not guarantee a clean bill of health like a wipe & reload can).

 

But I am using Linux, perhaps there is another way to see the issue and reslove it?


 


 



#8 Al1000

Al1000

  • Global Moderator
  • 7,979 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:08:17 PM

Posted 16 May 2016 - 03:35 AM

Please feel free to start a new thread, explaining what specifically makes you suspicious that your machine has been compromised.


Edited by Al1000, 16 May 2016 - 03:38 AM.


#9 Agent_Orange

Agent_Orange
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane, Australia
  • Local time:05:17 AM

Posted 16 May 2016 - 06:06 AM

Thanks AI1000,

 

 

Please feel free to start a new thread, explaining what specifically makes you suspicious that your machine has been compromised.

 

I am reluctant to do so, here is why....

 

 

Right now I do not have anything that I can take a screenshot of, post on this forum and ask someone to cast their techinical eye over what they see.

 

If there are tools that can be used for diagnosis of issues in a Linux OS I do not know what they are or how to use them.For example, I have seen Wire Shark but have no idea as to how to use it or how to interpret the data.

 

The reasons I believe that my machine may have been or possibly is compromised are as follows......

 

1. I recently noticed a declined payment on a pre-paid "throw away" credit card that I use - it was an attempted purchase from a H & M store in London. Whilst I do not have the card details stored on my PC I have used it to make online purchases in the last few months. I understand that this does not confirm that my machine is compromised, but it could be.

2. Whilst playing ARMA3 recently I started hearing my character calling out targets (e.g Rifleman, 700 metres, South West), this only happens when you are a part of a squad, I was playing the game solo, in fact the only person on the server.

Again, I understand that this does not confirm that I have a compromised machine - could have been anything, but it is strange that it would happen.

 

3. PC started shorting out at start up from the case, fixed it, not sure if that effected the boot order but I found that I had to change it back to my HDD,I am abit vague on this next part but I saw a black screen advising that overclocking had failed (or something like that).

So, as you can see, I do not have anything in the way of a report or anything like that I can show some kind of abmormality to anyone - the first point is a concern but that could have been a dishonest merchant, not neccessarily a hacker.

 

I do not want to waste anyone's time here so thought it would be best to either upgrade to Linux Mint 17.3 (and wipe the HD in the process) or try another distro (I have a post about one).

 

Thanks for your asistance, greatly appreciated.


Edited by Agent_Orange, 16 May 2016 - 06:10 AM.


#10 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:03:17 PM

Posted 17 May 2016 - 08:05 AM

I think your Linux OS is fine.

 

1. Its a throw away card, so not too big a deal. Plus you used it on online sites. Its more possible that someone was hacking those sites than hacked your PC. Though there is still a possibility that your router could have been compromised, DNS poisoning or the like, creating a man in the middle attack.

 

2. It's a game... probably was just a bug that popped up. I wouldn't worry about that.. plus I thought you could shout orders to bots to do stuff?

 

3. Hardware issues.. nothing to do with your OS being compromised.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#11 Agent_Orange

Agent_Orange
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane, Australia
  • Local time:05:17 AM

Posted 17 May 2016 - 10:49 PM

Thank you for the reasurance DeimosChaos.



#12 som3body

som3body

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:09:17 PM

Posted 18 May 2016 - 09:54 AM

Sometimes You can check who is logged in on Your machine and when. Use these commands>

#last

#lastlog

 

Or check the auth.log regarding to Your OS

 

#cat /var/log/auth.log on DEBIAN






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users