From owner-freebsd-stable@FreeBSD.ORG Tue Sep 25 18:06:01 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AAD2816A418 for ; Tue, 25 Sep 2007 18:06:01 +0000 (UTC) (envelope-from freebsd@victorstar.com) Received: from mail.umbra.com (toronto-hs-216-138-236-105.s-ip.magma.ca [216.138.236.105]) by mx1.freebsd.org (Postfix) with ESMTP id 3D0A713C468 for ; Tue, 25 Sep 2007 18:06:00 +0000 (UTC) (envelope-from freebsd@victorstar.com) Received: from umbexch1.umbra.com ([10.0.0.70]) by mail.umbra.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 25 Sep 2007 14:06:30 -0400 Received: from victors.umbra.com ([10.0.0.45]) by umbexch1.umbra.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 25 Sep 2007 14:06:30 -0400 Date: Tue, 25 Sep 2007 14:06:29 -0400 From: Victor Star X-Priority: 3 (Normal) Message-ID: <196878840.20070925140629@victorstar.com> To: Mike Bristow In-Reply-To: <20070925121645.GA53716@wafer.urgle.com> References: <762964378.20070923221850@victorstar.com> <20070924063127.GB37371@shell.unixguru.nl> <63456181.20070924092908@victorstar.com> <20070925121645.GA53716@wafer.urgle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit X-OriginalArrivalTime: 25 Sep 2007 18:06:30.0754 (UTC) FILETIME=[CCB2E420:01C7FF9E] Cc: freebsd-stable@freebsd.org Subject: Re: in openpam_load_module(): no pam_unix.so found X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2007 18:06:01 -0000 Hi Mike, Now, before I got a chance to try it out it suddenly works again. As good of a new as it is, I don't really like things fixing themselves without my knowledge of what's going on... Looks like a good time to start learning about rootkits. Of course there is a possibility of some resource-related issue, but I would expect at least to see something in messages, or other log files.... I'll keep this email for future in case it happens again. Thank you for your help! Victor > On Mon, Sep 24, 2007 at 09:29:08AM -0400, Victor Star wrote: >> ==- 8< -======================================================================== >> fireball# ldd /usr/lib/pam_unix.so >> /usr/lib/pam_unix.so: >> libutil.so.5 => /lib/libutil.so.5 (0x28167000) >> libcrypt.so.3 => /lib/libcrypt.so.3 (0x28173000) >> libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818b000) >> libpam.so.3 => /usr/lib/libpam.so.3 (0x2818f000) >> fireball# ldd /usr/lib/pam_unix.so.3 >> /usr/lib/pam_unix.so.3: >> libutil.so.5 => /lib/libutil.so.5 (0x28167000) >> libcrypt.so.3 => /lib/libcrypt.so.3 (0x28173000) >> libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818b000) >> libpam.so.3 => /usr/lib/libpam.so.3 (0x2818f000) > Hmm. That all looks ok. > The relevant code inside openpam[1] does something like > dlopen(OPENPAM_MODULES_DIR . "/pam_unix.so.3", RTLD_NOW) > and if that fails, tries > dlopen(OPENPAM_MODULES_DIR . "/pam_unix.so", RTLD_NOW) > Both of these must have failed when su ran. > It may be worth compiling the following: > : mike@wafer:~ ; cat dlopentest.c > #include > #include > int > main (int argc, char **argv) { > void *dlh; > dlh = dlopen(argv[1], RTLD_NOW); > if (dlh) { > printf("dlopen %s worked\n", argv[1]); > } else { > printf("dlopen %s failed: %s\n", argv[1], dlerror()); > } > return 0; > } > : mike@wafer:~ ; make dlopentest > cc -O2 -fno-strict-aliasing -pipe -march="pentium3" dlopentest.c -o dlopentest > : mike@wafer:~ ; ./dlopentest /usr/lib/pam_unix.so > dlopen /usr/lib/pam_unix.so worked > : mike@wafer:~ ; ./dlopentest /usr/lib/pam_unix.so.3 > dlopen /usr/lib/pam_unix.so.3 worked > : mike@wafer:~ ; ./dlopentest /usr/lib/pam_kasjajsk.so > dlopen /usr/lib/pam_kasjajsk.so failed: Cannot open "/usr/lib/pam_kasjajsk.so" > : mike@wafer:~ ; > this may give you a clue as to why the dlopen failed. If that > doesn't point at a problem, then recompile su with _openpam_debug > = 1, and setup syslog to log LOG_DEBUG messages somewhere and see > what happens. > [1] assuming a version of FreeBSD suitably similar to the one I > have here, of course. >> >> ==- 8< -======================================================================== >> >> As for when it stopped working - the first thing I did is trying to recall if I updated any ports. >> I've even went so far as looking for all files in /usr/ modified within the date range, but no, >> nothing. >> >> I did update php5 couple days before that. But it still worked for about two days after that. >> And I don't have apache/php opened to outside anyway. Just mail ports and ssh on high port (closed >> it for now for just in case anyway). >> >> Victor >> >> >> ====- 8< -=================================================== >> >> su: in openpam_load_module(): no pam_unix.so found >> >> su: pam_start: system error >> >> ====- 8< -=================================================== >> >> >> >> pam_unix.so is in /usr/lib: >> >> ====- 8< -=================================================== >> >> # ls -l /usr/lib/pam_unix* >> >> lrwxr-xr-x 1 root wheel 13 Sep 25 2006 /usr/lib/pam_unix.so -> pam_unix.so.3 >> >> -r--r--r-- 1 root wheel 10240 Feb 19 2007 /usr/lib/pam_unix.so.3 >> >> # file /usr/lib/pam_unix.so >> >> /usr/lib/pam_unix.so: symbolic link to `pam_unix.so.3' >> >> ====- 8< -=================================================== >> >> > First, this is how a problem should be described, great work. >> >> > When openpam can't load a module, it also print's the 'not found' message. >> > With 'ldd /usr/lib/pam_unix.so.3' you can see if all the libraries that >> > it needs are in place. On my systems it give's the following output: >> >> > $ ldd /usr/lib/pam_unix.so.3 >> > /usr/lib/pam_unix.so.3: >> > libutil.so.5 => /lib/libutil.so.5 (0x28169000) >> > libcrypt.so.3 => /lib/libcrypt.so.3 (0x28175000) >> > libypclnt.so.2 => /usr/lib/libypclnt.so.2 (0x2818d000) >> > libpam.so.3 => /usr/lib/libpam.so.3 (0x28191000) >> >> >> ====- 8< -=================================================== >> >> Sep 18 11:11:37 xxxxxx su: BAD SU to root on /dev/ttyp3 >> >> Sep 18 11:13:46 xxxxxx sshd[45047]: Bad protocol version identification '\377\364\377\375\006quit' from >> >> Sep 18 11:15:08 xxxxxx sshd[45056]: Received disconnect from : 2: Bad packet length 710099706. >> >> ====- 8< -=================================================== >> >> > The first line is probably the result of the broken pam_unix.so, the >> > other two lines look to me as ssh bruteforce attacks. >> >> > But, when did it stopped working. Did you tried to update the world or something like that? >> >> >> >> -- >> Best regards, >> Victor >> >> _______________________________________________ >> freebsd-stable@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Best regards, Victor