changing root password with Knoppix? - Security

This is a discussion on changing root password with Knoppix? - Security ; John Stumbles wrote: > On Tue, 18 Apr 2006 17:10:06 -0700, news@celticbear.com wrote: > > >> >It was recommended I use Knoppix to change the root password. I found > >> >a thread where Lew P. instructed someone how to ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 24 of 24

Thread: changing root password with Knoppix?

  1. Re: changing root password with Knoppix?


    John Stumbles wrote:
    > On Tue, 18 Apr 2006 17:10:06 -0700, news@celticbear.com wrote:
    >
    > >> >It was recommended I use Knoppix to change the root password. I found
    > >> >a thread where Lew P. instructed someone how to delete the root
    > >> >password:
    > >>
    > >> >
    > >> >Boot up with Knoppix, and log on as root Mount your hd somewhere
    > >> >Edit the HD /etc/passwd
    > >> > - delete the second field of the 'root' password entry (the text
    > >> > between the first and second colons), so that the entry looks
    > >> > something like
    > >> > root::0:0::/root:/bin/bash
    > >> > - save this change, and exit the editor
    > >> >Unmount your hard disk
    > >> >Log out
    > >> >Reboot from your HD
    > >>
    > >> Uh, what this does is to remove the root password entirely. What you
    > >> would be better off doing is to use knoppix to set another root
    > >> password. and then copy that into /etc/shadow.

    > >
    > > Right, that was my problem. =) I want to be able to change it, not just
    > > remove it.
    > > So I ask, how do you change it in knoppix for the system in question? I
    > > just played around with it a little, and found the HD's are in read-only
    > > mode when booted up with knoppix. I tried to re-mount them manually,
    > > but the traditional:
    > > mount -t ext3 /mnt/hda2 /hda
    > > doesn't work in a read-only mode.
    > > Probably need to mount the "something" to a "somewhere" in the ramdrive?
    > > Oh, well, I'll figure it out!

    >
    >
    > I really wouldn't bother changing root's password: as others have
    > pointed out the system is possibly so compromised a complete reinstall is
    > the only right thing to do.
    >


    Yeah, pretty much pounded into submission on that one. =)

    > But for future reference I recall the last time I played with
    > Knoppix you could just right-click on the icons for the hdds it finds and
    > tell it to remount them read-write. Or use option remount to the mount
    > command.


    Ah! I didn't see that. Will have to take a look. Will certainly make a
    lot of things easier!!

    > I think you could do 'passwd' as user knoppix and change the password hash
    > for user knoppix, which you would then find in /etc/shadow (or maybe
    > /etc/passwd) on the ram-based file system knoppix sets up, and cut&paste
    > that into the /etc/shadow passwd hash for root on the hdd. (There's
    > probably a cleaner way but I can't think what command gives you a passwd
    > hash directly.) That's how you'd hack yourself out of losing the root
    > password on a system.


    OK, sounds reasonable.
    Thanks for the reply! Really appreciated. =)


  2. Re: changing root password with Knoppix?


    Unruh wrote:
    > "news@celticbear.com" writes:
    >
    >
    > >Unruh wrote:
    > >> "news@celticbear.com" writes:

    [..]
    > >> rpm -Va|grep '^..5'>/tmp/verify
    > >> to find all files which have changed since you installed them. (actually

    [..]
    > >OK, so I run that RPM verification and get results like:

    >
    > >S.5....T c /usr/share/sgml/docbook/xmlcatalog
    > >SM5....T /etc/tripwire/twpol.txt
    > >S.5....T c /etc/cron.d/portsentry
    > >S.5....T c /etc/portsentry/portsentry.conf

    >
    > It means that each of those files have changed since they were installed.
    > Now, configuration files should be changed. But check them to make sure
    > that that is what they are. And look for executable files that have
    > changed.
    >

    Yeah, I didn't think (duh!) until later to do that, man rpm that is. =/
    For some reason I had it in my head that with the grep and sending it
    to a file output for some reason that was a unique... nevermind. I just
    wasn't thinking.

    Would something legit and innocent cause non-config files to change?
    Like if an RPM package that came on the distro was updated or
    reinstalled using a source package? Or using yum to upgrade a package,
    esp. from say FreshRPMs instead of the FedoraCore RPM server?

    [..]
    > >This is some great info I'm deffinitely going to keep track of for the
    > >future.
    > >Well, I'm going to keep looking to see what the extent of the possible
    > >damage is, just so I know... but the machine is going bye-bye in two
    > >days.

    >
    > >I'm going to be installing tripwire in the new Slackware setup. Tried a
    > >test install on this machine, but uh... looks like I'm going to have to
    > >do some searching to see how to do it right, it looks like. =) And USE
    > >it to look for changes!

    >
    > rpm -V IS tripwire from the installation. Of course you should protect the
    > rpm database from being changed (/var/lib/rpm/*)
    >

    Oh! Maybe that's one reason I'm having a pain installing tripwire. =/
    What do you recommend to protect it? Copy that directory to CD or
    something, then copy it back to do the -V?
    Does a nightly yum update affect this? (I guess I can find out tomorrow
    and see.)

    >
    > >[..snip..]

    >
    > >> >It was recommended I use Knoppix to change the root password. I found a
    > >> >thread where Lew P. instructed someone how to delete the root password:
    > >>
    > >> >
    > >> >Boot up with Knoppix, and log on as root
    > >> >Mount your hd somewhere
    > >> >Edit the HD /etc/passwd
    > >> > - delete the second field of the 'root' password entry (the text
    > >> > between the first and second colons), so that the entry looks
    > >> > something like
    > >> > root::0:0::/root:/bin/bash
    > >> > - save this change, and exit the editor
    > >> >Unmount your hard disk
    > >> >Log out
    > >> >Reboot from your HD
    > >>
    > >> Uh, what this does is to remove the root password entirely. What you would
    > >> be better off doing is to use knoppix to set another root password. and
    > >> then copy that into /etc/shadow.

    >
    > >Right, that was my problem. =) I want to be able to change it, not just
    > >remove it.
    > >So I ask, how do you change it in knoppix for the system in question?
    > >I just played around with it a little, and found the HD's are in
    > >read-only mode when booted up with knoppix. I tried to re-mount them
    > >manually, but the traditional:
    > >mount -t ext3 /mnt/hda2 /hda

    >
    > mount -t ext3 /dev/hda2 /hda
    > is what you wanted
    >

    Ah, yeah. This whole thing has me rattled, I'm forgetting obvious and
    simple things. =/
    Thanks for replying!
    I appreciate the feedback.


  3. Re: changing root password with Knoppix?


    ray wrote:
    > On Wed, 19 Apr 2006 02:32:57 +0000, Cameron L. Spitzer wrote:
    >
    > > In article , ray wrote:
    > >>
    > >> If you 'chroot' to the affected system after booting a Live CD and then
    > >> change the password, I think you may be home free.

    > >
    > > I don't think so. Once you chroot to the compromised system,

    [..]
    >
    > You're right. But the only thing you need to run is passwd - then exit or
    > pull the plug. There is the chance that passwd may be compromised, but
    > maybe not.
    >
    > > You might be lucky and the intruder is just a spam
    > > criminal looking for another bot-controller. But luck
    > > is not a security discipline. Like the other guy

    [..]

    Thanks for the replies and advice guys!
    Much appreciated!


  4. Re: changing root password with Knoppix?

    In article , ray wrote:
    > On Wed, 19 Apr 2006 02:32:57 +0000, Cameron L. Spitzer wrote:
    >
    >> In article , ray wrote:
    >>>
    >>> If you 'chroot' to the affected system after booting a Live CD and then
    >>> change the password, I think you may be home free.

    >>
    >> I don't think so. Once you chroot to the compromised system,
    >> every thing you run will be a possibly/probably compromised
    >> binary sharing compromised libraries through a compromised
    >> linking loader. You're running the stuff your PATH finds
    >> in the chroot, not the stuff you left behind.
    >> You can't trust executables on the compromised machine, period.
    >> They may not even be the same compromised executables
    >> they were before you ran the intruder's shutdown(8).
    >>

    >
    > You're right. But the only thing you need to run is passwd - then exit or
    > pull the plug. There is the chance that passwd may be compromised, but
    > maybe not.


    Maybe you've got a specially built Linux installation where
    passwd(8) is a statically linked binary that just makes
    kernel calls. On my systems, passwd is built
    the same way everything else is, so it links at run time to the
    common /lib/libc.so.6 which is a symlink to libc-2.3.2.so.
    That's one of the executables most likely to be messed with,
    because just about everything uses it.
    Likewise /lib/ld-linux.so.2.
    passwd is a pretty good candidate, too, because the
    intruder may want to steal passwords as they are changed.

    This intruder is most plausibly using a root kit, not starting
    from scratch on this particular victim's box.
    The first goal of the root kit is not to be detected.
    The next goal is to *keep* control of the compromised box.
    They've most likely messed with *every* utility you might
    use to reclaim the box. That's everything you could use to
    try to copy in uncompromised files from another machine.
    Everything that might help you see the root kit's parts.
    Everything you might use to change access authorizations.
    Not just passwd, but /lib/libpam.so.0 and /usr/sbin/sshd.
    That's what root kits are *for*.


    Cameron



    --
    NewsGuy.Com 30Gb $9.95 Carry Forward and On Demand Bandwidth

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2