The second and most important root escalated privilege flag was taken by ATB known as Arkaic on Freenode PlugLabs IRC. The escalated permissions were obtained after running the default password shadow file on a FC system through John the Ripper to obtain "nobody" [whose default /etc/passwd shell was changed by a clueless and highly paid Drupal "developer" who was trying to get ftp to work to /bin/bash from /bin/nologin ("Um....file transfer from Drupal is ftp right...?). ATB then found that there was a backup of the shadow file root hash with readable permissions (silly admins never set their UMASK right!) and that pam.d directory also had things writable (su). After these easy actions, including running the /etc/shadow-bak file through John the Ripper [type yum install john], to get the root 4 digit numerical password, I believe ATB was resourceful enough to try "sudo" from nobody which the admin had, in his haste, set in /etc/sudoers to ALL (ALL) ALL rather than designate each and every one of the developers, since they were in a $REALBIGHURRY to get the site up. I believe ATB in his wisdom, then endeavored to add a few backdoors, and possibly a rootkit, but we have to do our full forensics for a full determination of all FLAGS obtained by his actions. Dec 14 17:01:48 spider useradd[21049]: new group: name=waldo, GID=508 Dec 14 17:01:48 spider useradd[21049]: new user: name=waldo, UID=508, GID=508, home=/home/waldo, shell=/bin/bash Dec 14 17:01:54 spider passwd: PAM unable to dlopen(/lib/security/pam_gnome_keyring.so):/lib/security/pam_gnome_keyring.so: cannot open shared object file: No such file or directory Dec 14 17:01:54 spider passwd: PAM adding faulty module: /lib/security/pam_gnome_keyring.so Dec 14 17:02:01 spider passwd: pam_unix(passwd:chauthtok): password changed for waldo Dec 14 17:03:49 spider su: pam_unix(su-l:session): session closed for user root Dec 14 17:03:52 spider sudo: nobody : TTY=pts/5 ; PWD=/ ; USER=root ; COMMAND=/bin/su - Dec 14 17:03:52 spider su: pam_unix(su-l:session): session opened for user root by nobody(uid=0) nobody pts/5 ip70-176-228-90. 16:55 1:09 0.20s 0.04s sshd: nobody [priv] www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis | (503)754-4452 Catch the January PLUG HackFest! Kristy Westphal, CSO for the AZ Department of Economic Security will provide a one hour presentation on forensics 1/10/09 Noon at UAT.edu. _________________________________________________________________ Suspicious message? There’s an alert for that. http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_broad2_122008