Re: 33 character encrypted passwords in /etc/shadow

[Ben Boulanger <ben () blackavar com>]

On Thu, 27 Jun 2002, Mike Denka wrote:
> Suddenly I'm seeing a few 33 character encrypted passwords showing up in
> my /etc/shadow files on several Linux machines.  And on at least one of
> them, some of us whose entries have inexplicably changed from 13
> characters to 34 characters can no longer ssh in.   First, has anyone
> heard of any kind of rootkit or other intrusion that has this symptom?
> Second, what's the easiest way to get a known good md5sum of a linux
> distribution binary like /usr/sbin/passwd?  Solaris has a nice web site
> that will accept an md5sum and spit out the binary that matches it.  Any
> quick and easy way to do the same for various redhat distributions?  

The 34(maybe 33?) character password is RedHat's (possibly all linux's) 
new password encryption.  Not sure if it's still crypt or what, but it's 
legit.

The fastest way to verify changes to files in an rpm is with a command 
like:
        rpm -qas | grep -v ^normal

This queries all installed RPMs, and shows you the state of each file.  
The -v ^normal yanks the files that haven't changed out of STDOUT for you.

Ben

-- 

Flies never visit an egg that has no crack. 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com