Hi! This is the ezmlm program. I'm managing the
incidentssecurityfocus.com mailing list.

I'm working for my owner, who can be reached
at incidents-ownersecurityfocus.com.

Messages to you from the incidents mailing list seem to
have been bouncing. I've attached a copy of the first bounce
message I received.

If this message bounces too, I will send you a probe. If the probe bounces,
I will remove your address from the incidents mailing list,
without further notice.

I've kept a list of which messages from the incidents mailing list have
bounced from your address.

Copies of these messages may be in the archive.

To retrieve a set of messages 123-145 (a maximum of 100 per request),
send an empty message to:
   <incidents-get.123_145securityfocus.com>

To receive a subject and author list for the last 100 or so messages,
send an empty message to:
   <incidents-indexsecurityfocus.com>

Here are the message numbers:

   3624
   3615

--- Enclosed is a copy of the bounce message I received.

Return-Path: <>
Received: (qmail 11995 invoked from network); 28 Jun 2002 21:33:52 -0000
Received: from unknown (HELO securityfocus.com) (66.38.151.9)
  by lists.securityfocus.com with SMTP; 28 Jun 2002 21:33:52 -0000
Received: (qmail 11805 invoked by alias); 28 Jun 2002 21:29:08 -0000
Received: (qmail 11789 invoked from network); 28 Jun 2002 21:29:07 -0000
Received: from 7of9.neohapsis.com (HELO mail.neohapsis.com) (207.227.243.97)
  by mail.securityfocus.com with SMTP; 28 Jun 2002 21:29:07 -0000
Received: by mail.neohapsis.com (Postfix) via BOUNCE
        id 48B21D58AC; Fri, 28 Jun 2002 16:34:35 -0500 (CDT)
Date: Fri, 28 Jun 2002 16:34:35 -0500 (CDT)
From: MAILER-DAEMONneohapsis.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender

MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="197E2D5916.1025300075/mail.neohapsis.com"
Message-Id: <20020628213435.48B21D58ACmail.neohapsis.com>

This is a MIME-encapsulated message.

--197E2D5916.1025300075/mail.neohapsis.com
Content-Description: Notification
Content-Type: text/plain

This is the Postfix program at host mail.neohapsis.com.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please contact <postmasterneohapsis.com>

If you do so, please include this problem report. You can
delete your own text from the message returned below.

                        The Postfix program

--197E2D5916.1025300075/mail.neohapsis.com
Content-Description: Undelivered Message
Content-Type: message/rfc822

Received: from outgoing.securityfocus.com (outgoing2.securityfocus.com [66.38.151.26])
        by mail.neohapsis.com (Postfix) with ESMTP id 197E2D5916

Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
        by outgoing.securityfocus.com (Postfix) with QMQP
        id C9CF88F295; Fri, 28 Jun 2002 14:35:34 -0600 (MDT)
Mailing-List: contact incidents-helpsecurityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <incidents.list-id.securityfocus.com>
List-Post: <mailto:incidentssecurityfocus.com>
List-Help: <mailto:incidents-helpsecurityfocus.com>
List-Unsubscribe: <mailto:incidents-unsubscribesecurityfocus.com>
List-Subscribe: <mailto:incidents-subscribesecurityfocus.com>
Delivered-To: mailing list incidentssecurityfocus.com
Delivered-To: moderator for incidentssecurityfocus.com
Received: (qmail 17997 invoked from network); 28 Jun 2002 21:01:45 -0000
From: "Mike Denka" <mdenkwhidbey.net>
To: <incidentssecurityfocus.com>
Subject: FW: 33 character encrypted passwords in /etc/shadow
Date: Fri, 28 Jun 2002 14:02:51 -0700
Message-ID: <005e01c21ee7$2a6c3b50$6ec9a8c0whidbeytel.com>
MIME-Version: 1.0
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3416
X-Mimeole: Produced By Microsoft MimeOLE V5.50.4522.1200
Importance: Normal

Thanks for all the responses to my original query. It's pretty clear
that I missed the md5 encryption on newer versions of Red Hat which is
what got me sweating in the first place.

Thanks also for all the suggestions for checking file integrity on Red
Hat machines. Looks like rpm verification and tripwire are the only
options next to having a non-connected machine with a fresh install
somewhere to compare against. Too bad. Not that those are terrible
options, but the Solaris Fingerprint database
(http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl) is a great tool.
Maybe someday we'll have similar tools for our favorite open source
O/S's.

Mike

-----Original Message-----
From: Stephen Smoogen [mailto:smoogenlanl.gov]
Sent: Friday, June 28, 2002 9:42 AM
To: Mike Denka
Cc: incidentssecurityfocus.com
Subject: Re: 33 character encrypted passwords in /etc/shadow

If the 33 character passwords look like:

$1$blahblahblahblahblah

then the passwords are using M5sum instead of old DES passwords.
Depending on the version of Red Hat Linux you are running this can come
from using the authconfig command and turning on MD5sum passwords.

If the password is in the form of
$2$blahblahblahblahblah

then it is a blowfish algorithm which I think only OpenBSD supports
currently (but my data is old on this).

The simplest way of checking your machine on Red Hat is to do a

rpm -Va

and look at the output. This checks the binaries on the system with what
was listed in the RPM database. This is a very simple check and prone to
being gotten around by good crackers. The next is to do the following:

If the machine has a cdrom, and you have the original media.. mount the
cdrom and do the following:

rpm -Vp <name of RPM package on cdrom> # to see if they played with RPM

so on my 7.3 machine:

smoogen:{RPMS}$ rpm -qf /usr/bin/passwd
passwd-0.67-1
root:{RPMS}# rpm -Vp passwd-0.67-1.i386.rpm

This will give you assurance that the packages as installed from Red Hat
Linux are there. However it will not tell you about packages/files that
arent in RPM database... or if the rpm command itself had been altered..

On Thu, 2002-06-27 at 18:00, Mike Denka wrote:
> Suddenly I'm seeing a few 33 character encrypted passwords showing up
in
> my /etc/shadow files on several Linux machines. And on at least one
of
> them, some of us whose entries have inexplicably changed from 13
> characters to 34 characters can no longer ssh in. First, has anyone
> heard of any kind of rootkit or other intrusion that has this symptom?
> Second, what's the easiest way to get a known good md5sum of a linux
> distribution binary like /usr/sbin/passwd? Solaris has a nice web
site
> that will accept an md5sum and spit out the binary that matches it.
Any
> quick and easy way to do the same for various redhat distributions?
>
>
>
> Thanks,
>
>
>
> Mike
>
>
>
------------------------------------------------------------------------

----
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
-- 
Stephen John Smoogen		smoogenlanl.gov
Los Alamos National Laboratoy	CCN-2	PH: (505)-665-9408
Ta-03 SM-30  MailStop D445 DP 01U  Los Alamos, NM 87544
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
--197E2D5916.1025300075/mail.neohapsis.com--

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]