0

I've had quite a lot ssh bruteforce attacks on my server(Arch Linux).

I recently checked the auth log in which I found one suspicous entry (but no sucessful login by anyone that wasn't me):

passwd[#####]: password for 'polkitd' changed by 'root'

I am quite confident that I didn't change it myself as I'm not using polkit. But I think that i ran a pacman -Syu that day. Also polkitd is not running and no process sarted by the polkit user is running. Could it be that pacman was responsible for that?

rudib
  • 135
  • 1
  • 6
  • You could check the `install` scripts in `/var/lib/pacman`. `find . -name install -exec grep -l passwd "{}" \;` should find the files that have `passwd` and you have to investigate those then. – Thomas Feb 12 '17 at 13:50
  • @Thomas thanks a lot for the tip! `passwd -l polkitd &>/dev/null` in `./local/polkit-0.113+29+g3272a98-1/install` was the deal! – rudib Feb 12 '17 at 13:55

1 Answers1

0

Pacman actually did change the password for polkit. It seems to be a security improvement.

In order to check this, I did the following (thanks to @Thomas):

find /var/lib/pacman -name install -exec grep -l passwd "{}" \;

Which gave me a list of files; one of them was ./local/polkit-0.113+29+g3272a98-1/install

A quick inspection showed that there was a line passwd -l polkitd &>/dev/null

Which explains everything.

rudib
  • 135
  • 1
  • 6