Is someone trying to hack me (and succeeding)?

[GettinSadda]

Is someone trying to hack me (and succeeding)?

I spotted this in my latest LogWatch message:

--------------------- Sudo (secure-log) Begin ------------------------

Unmatched Entries:
www-data : TTY=unknown ; PWD=/usr/share/web-admin ; USER=root ; COMMAND=/usr/lib/web-admin/backend.pl dump_file /etc/shadow

---------------------- Sudo (secure-log) End -------------------------

It looks like there is a major weakness somewhere that is allowing system files (such as the password file!) to be read by users via the web interface.

Looks like I am about to be pwned

I am checking my logs in detail...

[GettinSadda]

I have disconnected my Bubba from the network and may salvage it for parts in the future.

[Eek]

doesn't look like a hack
or a vulnerability

[Clive]

I did a course on computer security and vunerabilities a while back and threw the whole range of hacker attack tools at Bubba to see what I could find. In fact Bubba was very secure and much more secure then some well known websites out there.

I do see alot of attempts by hacking bots to request system files, Bubba of course does not supply ! I guess it is one of those attempts you are seeing here....

[GettinSadda]

The problem is not that someone or something is making a request that may compromise the system.

The problem is that, according to LogWatch, someone or something has successfully read the entire contents of the password file via the web-admin interface!

[6feet5]

Hi,

I could be wrong on this, but when you log on to the web interface you enter a user name and a password, how do you expect the php script to verify this if not by reading the shadow file?

/Johan

[Clive]

I don't use 'Logwatch' so I don't know what it reports, but unless you have given out your root password then I think it's unlikely you have been hacked. Unless you have altered apache then I cannot see /etc/passwd (or it's shadow) being accesible. If they have your root password why would they need your passwd file ???

There is some truth in using 'difficult' passwords as it is always possible to do a DES compare between an encrytped dictionary and a /etc/passwd file, I have done it myself and'am amazed how many users still use 'nouns' as their passwords; including numbers in a password always helps.

So in short, I don't think you've been hacked; unless you've invited it. Change your root password, just in case....

Bubba is no more hackable than any other server connected to the internet, less so in fact as it as less open ports to attack......

[Clive]

UPDATE !

I've just logged onto my server via the web-admin (using my normal, non-root username) and analysed my /var/log/auth.log and got the following entry -

Jun 11 22:13:56 sydnew sudo: www-data : TTY=unknown ; PWD=/usr/share/web-admin ; USER=root ; COMMAND=/usr/lib/web-admin/backend.pl dump_file /etc/shadow

(note that this entry occurs even if a false username/password is submitted)

So your original 'Logwatch' entry looks just like a genuine login attempt to the web-admin console.... Bubba is just verifying your username/password regardless if it's correct or not...

[GettinSadda]

Ah, it seems that Clive may have hit the nail on the head.

I did some further tests with Bubba while offline from my main network and discovered the following:

There are two perl scripts used by the main Bubba code: print.pl which manages printing and backend.pl which handles "All activities that require elevated privilges"

It seems that as Clive says, user_auth.php uses backend.pl to read the user list and hashed passwords from /etc/shadow so that it can manage logins. This makes perfect sense and I can't currently think of a better way to do this.

As far as I have been able to figure out so far, there is no way to nefariously access the God-mode features in backend.pl from web-admin - but that is not a cast-iron guarantee!

Now I know the full picture, the log message is fine - but you have to admit that it looks alarming when seen out of context!

What does disappoint me is that it was more than four days before a user was able to confirm that this is normal. Assuming that this is a normal, yet alarming, log message I am surprised that a simple answer was not quickly provided by someone with detailed knowledge of the product such as Johannes or Tor. Maybe I am repeating an earlier mistake of assuming that this is the best place to come for support (it is linked from the "Customer support area" of excito.com).

[ian]

I think if you want to guarantee a response from excito, you should email them directly (there is also an email link in the "Customer support area").

If you ask the forum, then you will have to wait until someone who knows the answer actually sees the question, which may or may not be someone who actually works for excito...

[Clive]

and hopefully all the Excito staff are busily working on Bubba MkII <rubs hands in anticipation>