# Breaking into root from standard user via SSH

## Techbart

I have a bit of an odd question to ask.  Is it possible for a user who has been created with useradd to somehow gain access to root tty via SSH?  I only ask because last night I added a user through SSH using VX Connect Bot on my android, logged out as root, then logged the new user in so they could change their password.  I can't be 100% if my memory serves me correctly, but when I checked my phone again I noticed root was logged in, but I only remember logging in the new user before handing it to them for setting up their password, and have no memory of logging in as root again afterwards.

I know this sounds a bit vague, but I'm driving myself crazy wondering if either the person I handed my phone to was some kind of evil genius who could log into root from a freshly created account with no special permissions, or if I had simply forgotten that I'd logged back into root later.  Any thoughts on the matter would be greatly appreciated

----------

## NeddySeagoon

Techbart,

Yes, its possible, even trivial.  Your ssh user could root your phone the same way you did.

----------

## Techbart

Ah, sorry I should have been a bit more clear in my description.  What I meant was that they seemed to be able to gain root to my Gentoo box via an SSH session from my android phone, after I had logged out root for setting up their account, and logging their newly-made account so they could change their own password.  I'm wondering if it's somehow possible to gain access to root via SSH to my Gentoo box from a standard user account, also on the Gentoo box.

----------

## NeddySeagoon

Techbart,

That depends on your install.  I had it done to me.  The intruder removed /etc, so it didn't go undetected for long.

It needs a locally exploitable privilege escalation bug in your install and the attacker needs to be willing and know how to exploit it.

Look at the suspect users .bash_history.

If  .bash_history is blank, then its been deliberately removed ... be suspicious.

It might hold some evidence of what the user was doing.

----------

## Techbart

Hmm, it's seeming more like it was a case of bad memory on my part by the sound of it.  My Gentoo install was done following the Handbook, and I also installed sudo after, adding only my user account to the list.  The only other thing that has been done after finishing a full Gentoo install using the latest x64 image (which was checksummed from official source), was to install samba, Oracle java and a Minecraft server on top of that.  The guy I handed my phone to for setting up his password had it for no more than 5 minutes, so unless he knew ahead of time of an exploit that could be done using an Android phone that was SSHd into my Gentoo box, it's probably unlikely that he'd managed to get to my root, and that I'd simply forgotten that I'd logged root myself after he'd finished with the phone.

Coincidentally enough, the first thing I tried was to look through the bash history for all accounts, but I'd also forgotten to setup his user account with a /home folder, so there was no bash history I could find there.  I'm just putting it down to a night of terrible memory on my part and sloppy account management, but it was driving me crazy not knowing :p.  Either way, thanks for helping to clear my paranoia on that one  :Smile: 

----------

