hacked user a/c but passwd command not working properly

Support for security such as Firewalls and securing linux
stumped312
Posts: 5
Joined: 2019/04/04 18:22:55

hacked user a/c but passwd command not working properly

Post by stumped312 » 2019/04/04 18:40:53

hI there, I'm a first time poster on this site for me, but using Centos (albeit amateurishly) for a long time tho

I have found this problem as demonstrated below, it seems very strange and none of the usual fixes suggested on Google have worked so far. I am unable to change the password on this one account (liam). Root can not change it either , although it can change it's own password it cannot change the user password :-S nor can the actual user himself

If it helps I'm running CentOS Linux release 7.5.1804

Code: Select all

[root@bangna ]# passwd
Changing password for user root.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@bangna ]# passwd
[root@bangna ]# passwd liam
Changing password for user liam.
passwd: Authentication token manipulation error
[root@bangna ]# 
-sh-4.2$ whoami
liam
-sh-4.2$ passwd
Changing password for user liam.
passwd: Authentication token manipulation error
-sh-4.2$ 
am hoping someone on here can advise :)

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: hacked user a/c but passwd command not working properly

Post by TrevorH » 2019/04/04 22:17:08

7.5.1804 is now a year old and 7.6 has been out for 6 months. Time to yum update

Does the user liam have an entry in /etc/passwd and also in /etc/shadow ? If they have an entry in /etc/shadow, what are the first 2 characters of the 2nd field (separated by : characters).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

stumped312
Posts: 5
Joined: 2019/04/04 18:22:55

Re: hacked user a/c but passwd command not working properly

Post by stumped312 » 2019/04/10 14:06:54

Hi Trevor, thanks v much for responding

I've now updated all packages using yum but issue still remained. I checked /etc/passwd and /etc/shadow and found that /etc/shadow had NO permissions set at all, I tried settings permissions for root user- I'm pasting snippets below in case you or someone else spots an issue there..

however none of this has resolved the issue:! any further suggestions welcome..

Code: Select all

[root@bangna ]# cat /etc/shadow | grep liam
liam:$6$.P2l8kg7$zVHXeRKS7ytS0sffrXTaLvDCo1G2TFZtqMJ80n52zizNPNbr8Syg5x.fAO903bh1JyFclRiSPco1RpBneimYM1:17815:0:99999:7:::
[root@bangna ]# cat /etc/passwd | grep liam
liam:x:1000:1000::/home/liam/
[root@bangna ]# ls -al /etc/passwd
-rw-r--r-- 1 root root 1530 Apr 10 14:41 /etc/passwd
[root@bangna ]# ls -al /etc/shadow
---------- 1 root root 1180 Apr  4 16:50 /etc/shadow
[root@bangna ]# chmod 644 /etc/shadow
[root@bangna ]# passwd liam
Changing password for user liam.
passwd: Authentication token manipulation error
[root@bangna ]# ls -al /etc/shadow
-rw-r--r-- 1 root root 1180 Apr  4 16:50 /etc/shadow
[root@bangna ]# 

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: hacked user a/c but passwd command not working properly

Post by TrevorH » 2019/04/10 15:03:37

The permissions on /etc/shadow were correct and you should put them back that way ASAP as 644 is incorrect and insecure.

Do you have any messages in either /var/log/messages or /var/log/secure when you attempt to change the password?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

tomkep
Posts: 38
Joined: 2018/04/25 13:30:50

Re: hacked user a/c but passwd command not working properly

Post by tomkep » 2019/04/10 16:33:22

I would also look at what's in /etc/nsswitch.conf in passwd: line and in /etc/pam.d/passwd and any files referenced there (by include or substack).

Is there any chance there is a password quality checker (there usually is) and you are trying to set low quality password?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: hacked user a/c but passwd command not working properly

Post by TrevorH » 2019/04/10 16:53:16

From the output provided, it looks like it errors out before it even prompts for the new password when it's run as a normal user.

What's the output from the command rpm -Va - this will verify all files belonging to all packages that are installed on the system match the checksum that rpm thinks they should have. It will take a long time and may produce a lot of output so I would suggest either tee'ing it to a file or piping the output into less so that you can read all of it. One possibility is that the passwd command has lost its suid bit - rpm -Va will find that and list it but it should look like

-rwsr-xr-x. 1 root root 27832 Jun 10 2014 /bin/passwd
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

stumped312
Posts: 5
Joined: 2019/04/04 18:22:55

Re: hacked user a/c but passwd command not working properly

Post by stumped312 » 2019/04/10 17:43:51

I've changed back the permissions on /etc/shadow to 000 as they were before, thanks for the heads-up.
I've tried tailing the log files /var/log/messages and /var/log/secure when trying to update the user password both as the user and as root. Nothing is being logged at time of running the passwd command, no errors or info messages or anything at all

as regards nsswitch line and /etc/pam.d/passwd on my server it looks like this, but not sure what is there is correct or not?

Code: Select all

[root@bangna ]# cat /etc/nsswitch.conf | grep passwd
#passwd:    db files nisplus nis
passwd:     files sss

Code: Select all

#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   substack     system-auth
-password   optional    pam_gnome_keyring.so use_authtok
password   substack     postlogin
the output from rpm -Va looks like this:

Code: Select all

missing   c /etc/awstats/awstats.localhost.localdomain.conf
.M...UG..  c /etc/awstats/awstats.model.conf
S.5....T.  c /etc/httpd/conf.d/awstats.conf
.M...UG..    /usr/share/awstats/wwwroot/cgi-bin/awstats.pl
S.5....T.  c /etc/php.ini
.M.......    /sys
.M....G..  g /var/log/journal
........P    /usr/bin/ping
........P    /usr/sbin/arping
........P    /usr/sbin/clockdiff
.......T.  c /etc/crontab
.M.......  g /etc/mail/access.db
.M.......  g /etc/mail/domaintable.db
.M.......  g /etc/mail/mailertable.db
.M.......  g /etc/mail/virtusertable.db
.M...UG..  g /var/spool/clientmqueue/sm-client.st
.M.......  g /var/log/dmesg
S.5....T.  c /etc/postfix/main.cf
S.5....T.  c /etc/postfix/master.cf
S.5....T.  c /etc/ssh/sshd_config
..5....T.  c /etc/yum.repos.d/rpmforge.repo
S.5....T.  c /etc/yum.repos.d/CentOS-Base.repo
S.5....T.  c /etc/aliases
..5....T.  c /etc/cron.d/0hourly
.M.......  g /etc/pki/ca-trust/extracted/java/cacerts
.M.......  g /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
.M.......  g /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
.M.......  g /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
.M.......  g /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
.M.......  g /var/lib/rkhunter/db/mirrors.dat
.M.......  g /var/lib/rkhunter/db/programs_bad.dat
S.5....T.  c /etc/httpd/conf/httpd.conf
S.5....T.  c /etc/cron.d/dailyjobs
S.5....T.  c /etc/dovecot/conf.d/10-auth.conf
S.5....T.  c /etc/dovecot/conf.d/10-mail.conf
S.5....T.  c /etc/dovecot/conf.d/10-master.conf
S.5....T.  c /etc/dovecot/conf.d/20-pop3.conf
S.5....T.  c /etc/sysconfig/saslauthd
.M.......  g /run/saslauthd
/home/liam/rpm_check (END)

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: hacked user a/c but passwd command not working properly

Post by TrevorH » 2019/04/10 18:12:30

........P /usr/bin/ping
........P /usr/sbin/arping
........P /usr/sbin/clockdiff
Those are all missing their correct "capabilities" flags. This is most likely down to a bug in rpm which removes capabilities improperly if you ever run rpm --setugids $package (there is a bugzilla open for this and a fix is in progress). Since they all belong to the 'iputils' package, the current solution is to yum reinstall iputils which will correctly add CAP_NET_ADMIN (?) back to those excecutables.

However, nothing to do with the current problem... well, except that often running rpm --setugids is often part of the recommended solution if an admin has ever accidentally run something like 'chmod -R 777 /' or 'chown -R notroot /' and hosed all the ownership and/or permissions of everything. Has that happened on this system? It might explain why passwd does not work.
..5....T. c /etc/yum.repos.d/rpmforge.repo
rpmforge is a dead repo and has not received any updates in about 5 years. It should no longer be used as many of the packages it contains are old and now have security updates that will never come. If you have things installed from there then you are advised to try to find alternative sources. You can run rpm -qa | grep "\.rf" to get a list of the things that are current installed from it (all package names contain .rf. or .rfx.).

I don't see any of the other files listed there as being the cause of this and none concern me.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

stumped312
Posts: 5
Joined: 2019/04/04 18:22:55

Re: hacked user a/c but passwd command not working properly

Post by stumped312 » 2019/04/10 18:41:53

[root@bangna ]# rpm -qa | grep "\.rf"
rpmforge-release-0.5.2-2.el6.rf.x86_64

I've then run yum reinstall iputils, thanks for that one, that seems to have sorted out that problem, but as you did say nothing to do with the current issue

I have also tried changing the syslogging level to debug level and reran the passwd command while tailing the log files, still nothing logged at all..

any further help? much appreciated so far, I'm well out of my depth here..

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: hacked user a/c but passwd command not working properly

Post by TrevorH » 2019/04/10 19:53:44

Well my next step would to install strace, if it isn't already, then run it via that and see if it gives any better info. Except that I just tried that here and running it via sudo breaks it anyway so it's useless.

Do you know the user's password now?

OK, I just recreated your problem and it's partly an error in your user and partly a bug.

Your user entry in /etc/passwd has no shell and is missing the last entry on that line. Your says

liam:x:1000:1000::/home/liam/

and should say

liam:x:1000:1000::/home/liam/:/bin/bash

Oh, and since you posted the password hash for that user here in the forum, now you really need to change it ;-)
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply