CIS Home > Security > Password Attacks

Protecting Linux & Unix Systems from Password-Based Attacks

Date: June 15, 2004

Over the past week, a number of Linux computers on WHOInet have been compromised by an outside attacker. These attacks have not relied on software vulnerabilities, but on guessing or capturing the passwords of user and root accounts. The attackers can then log in normally by Secure Shell (SSH).

Responding to these attacks therefore requires more than just installing the latest software patches. We ask that Unix and Linux system operators on WHOInet take several steps to stop these attacks and protect WHOI computers from future attacks of this sort.

Because this advisory is published on the Web, it does not contain a list of the computers known to be compromised. Please refer to the email bulletin for this list.

Table of Contents

** Determine whether your systems are compromised
** Change your passwords & SSH key passphrases
** Check your logs & system files
** Minimize your exposure to unauthorized logins
** Good password practices

 Determine whether your systems are compromised

If your computer receives SSH or FTP connections from a compromised computer, OR if it is exposed through the firewall to receive SSH connections, we recommend that you run "chkrootkit" to verify that it has not been compromised. "chkrootkit" is similar in principle to antivirus software; it scans for signatures of known attack software. (A "rootkit" is software installed onto a system once the attacker has gained root access.)

To run "chkrootkit", first download the source code from the Web site given below. Un-tar it; this will create a directory with the name" chkrootkit-0.43". Change to this directory, then run "make" to compile the program. Then become root, change to the same directory, and run" ./chkrootkit".

This program will produce a lot of output; the only important part is whether it detects any rootkits or compromised files. The compromised systems thus far discovered have had the "init" and "ifconfig" files
altered, and "chrootkit" has reported "ZK" and "Suckit" rootkits.

"chkrootkit" home page:

WHOI mirror of current source:

  Change your passwords & SSH key passphrases

We believe that the avenue by which the attackers gained access to the affected systems is by capturing passwords. The attackers worked from one compromised system to another, installing "keyboard sniffer" modules
into the OS kernel. These capture keystrokes as you are typing them -- which lets the attacker capture passwords even from encrypted SSH sessions.

We recommend, therefore, that everyone change their user and root passwords and SSH key passphrases. This is most important on systems which receive SSH or FTP connections from the known compromised computers. However, we do not know how many passwords the attackers have gathered, so we recommend changing all login passwords wherever practical.

To change a Unix or Linux account password, use "passwd".
To change an SSH key passphrase, use "ssh-keygen -p".
To change your LDAP (email) password, use this Web page:
Email Administrator

  Check your logs & system files

Please check your system logs for suspicious login attempts. These may reveal other compromised systems.

Please also check your own logs and system files for signs of successful attacks. Indications found on the compromised systems have included:

* New user accounts added to /etc/passwd
* Changed host SSH keys in the /etc/ssh directory
* Hidden directories (with names beginning with ".") in the /dev, /usr, /tmp, or /home directories
* Recently changed files in /bin, /usr/bin, /sbin, or /usr/sbin
* Empty log files in /var/log
* Unexpected entries in root's .bash_history file
* Unusual host in "last login" message.

  Minimize your exposure to unauthorized logins

An attacker can only attack your system from a computer which is capable of making a connection to your system. By restricting access you can prevent attackers from even targeting your system.

Have you used the WHOInet Service Registration System to allow SSH or FTP access to your computer from outside WHOI? If you no longer need this access, you can delete the access rules:

You can also use the "/etc/hosts.allow" and "/etc/hosts.deny" files to allow only authorized systems to connect to yours. See the manual page for "hosts_access" for details.

  Good password practices

It's a good idea to change your passwords, especially root passwords, regularly. If an attacker has learned your password, changing it will prevent their access.

Avoid using the same password for your user account and root, or for accounts on multiple systems. Particularly avoid using a password for non-WHOI resources (such as AIM, Hotmail, other chat systems or Web sites) which you use for your WHOI computer.

Never use common words, names, birthdates, or the like as passwords. It is better to have a difficult password and keep it in your wallet than to have an easily-guessed one and memorize it.