> Security > Password Attacks
Protecting Linux & Unix Systems from Password-Based Attacks
Date: June 15, 2004
Over the past week, a number of Linux computers on WHOInet have been compromised
by an outside attacker. These attacks have not relied on software vulnerabilities,
but on guessing or capturing the passwords of user and root accounts. The
attackers can then log in normally by Secure Shell (SSH).
Responding to these attacks therefore requires more than just installing the
latest software patches. We ask that Unix and Linux system operators on WHOInet
take several steps to stop these attacks and protect WHOI computers from future attacks of this sort.
Because this advisory is published on the Web, it does not contain a list
of the computers known to be compromised. Please refer to the email bulletin for this list.
Table of Contents
** Determine whether your systems are compromised
** Change your passwords & SSH key passphrases
** Check your logs & system files
** Minimize your exposure to unauthorized logins
** Good password practices
Determine whether your systems are compromised
If your computer receives SSH or FTP connections from a compromised computer,
OR if it is exposed through the firewall to receive SSH connections, we recommend
that you run "chkrootkit" to verify that
it has not been compromised. "chkrootkit" is similar in principle
to antivirus software; it scans for signatures of known attack software. (A "rootkit" is
software installed onto a system once the attacker has gained root access.)
To run "chkrootkit", first download the source code from the Web
site given below. Un-tar it; this will create a directory with the name"
chkrootkit-0.43". Change to this directory, then run "make" to
compile the program. Then become root, change to the same directory, and run"
This program will produce a lot of output; the only important part is whether
it detects any rootkits or compromised files. The compromised systems thus far discovered have had the "init" and "ifconfig" files
altered, and "chrootkit" has reported "ZK" and "Suckit" rootkits.
"chkrootkit" home page:
WHOI mirror of current source:
Change your passwords & SSH key passphrases
We believe that the avenue by which the attackers gained access to the affected
systems is by capturing passwords. The attackers worked from one compromised system to another, installing "keyboard sniffer" modules
into the OS kernel. These capture keystrokes as you are typing them -- which
lets the attacker capture passwords even from encrypted SSH sessions.
We recommend, therefore, that everyone change their user and root passwords
and SSH key passphrases. This is most important on systems which receive SSH
or FTP connections from the known compromised computers. However, we do not
know how many passwords the attackers have gathered, so we recommend changing
all login passwords wherever practical.
To change a Unix or Linux account password, use "passwd".
an SSH key passphrase, use "ssh-keygen -p".
To change your LDAP (email) password, use this Web page:
Check your logs & system files
Please check your system logs for suspicious login attempts. These may reveal other compromised systems.
Please also check your own logs and system files for signs of successful attacks. Indications found on the compromised systems have included:
* New user accounts added to /etc/passwd
* Changed host SSH keys in the /etc/ssh directory
* Hidden directories (with names beginning with ".") in the /dev, /usr, /tmp, or /home directories
* Recently changed files in /bin, /usr/bin, /sbin, or /usr/sbin
* Empty log files in /var/log
* Unexpected entries in root's .bash_history file
* Unusual host in "last login" message.
Minimize your exposure to unauthorized logins
An attacker can only attack your system from a computer which is capable of
making a connection to your system. By restricting access you can prevent attackers from even targeting your system.
Have you used the WHOInet Service Registration System to allow SSH or FTP
access to your computer from outside WHOI? If you no longer need this access, you can delete the access rules:
You can also use the "/etc/hosts.allow" and "/etc/hosts.deny" files
to allow only authorized systems to connect to yours. See the manual page for "hosts_access" for details.
Good password practices
It's a good idea to change your passwords, especially root passwords, regularly.
If an attacker has learned your password, changing it will prevent their access.
Avoid using the same password for your user account and root, or for accounts
on multiple systems. Particularly avoid using a password for non-WHOI resources
(such as AIM, Hotmail, other chat systems or Web sites) which you use for your WHOI computer.
Never use common words, names, birthdates, or the like as passwords. It is
better to have a difficult password and keep it in your wallet than to have an easily-guessed one and memorize it.