BackTrack Start Up Changed Without Upgrade?

[whitehat]

When I turned on a BT5r3 Gnome laptop today I couldn't login. I always login as root (b/c I like it, conventional wisdom be damned). After my pw failed about 10 times I was able to login as a non-root then su to root, which I had to do anyway to startx.

That was weird. I've never had to do that before.

Additionally, I now notice a NOTICE TO USERS that says something like "blah, blah, blah, the government and your employers are going to monitor you and your use means you agree to being spied on and if they catch you actually using the tools in here they are going to take you to the rape rooms".

So my questions are:

1. Why do I have to login as non-root all the sudden?

2. Do you all see this NOTICE TO USERS (or whatever it says) message when logging in too?

3. How can I edit/delete that message because I don't like seeing it?

Edited November 28, 2012 by whitehat

[digip]

Um, have you ever changed the default password for backtrack? Its quite common to get whacked if you have a native install of backtrack, if you've never changed the password for root from day one. Also, you can, after installing the system, disable root and set another user as root if need be, or just add new users and setup sudo for the new user accounts. Backtrack isn't meant to be an every day distro, but a lot of people do use it as their main box, with the knowledge that you need to change a lot of things to secure it. By default, its meant to be used for pentesting, and people using it as root, if they get hacked while logged in as root, well, thats part of the game and common.

There is a new Linux root kit out though, that apparently injects itself via websites and specific Linux kernels, which is possible all of which you mentioned, such as the notice, make me think you got hacked more than likely. I would personally, to be safe, wipe and reinstall, just backup important file, scripts, etc, before hand, then start fresh. Linux, like ever OS and system, is not immune to attacks. If your login process changed on its own, thats a red flag, treat the system as hostile and compromised. Just my 2 cents.

[whitehat]

Nah, it wasn't the default password and my password still works fine. It just doesn't let me login as root until after I login as non-root.

The only reason I find it weird is that this is new and I'm also seeing that new "NOTICE TO USERS" message -- do you see that when you boot BackTrack?

It's not my main box, but it is a dedicated BackTrack laptop b/c I have old laptops coming out my orifices. It's actually a fairly new install; about 10 days old. I suppose it's always possible that I got hacked, but I'm not seeing any virii/malware or evidence of an infection... wouldn't it be kind of a strange practical joke for someone to hack me only to make my boot up screen display a legal warning and require the non-root login?

I do have one theory on the non-root login thing --> I ran Bastille yesterday. I don't remember it saying anything about that, but it did make plenty of changes to harden BackTrack, so maybe that was one.

But what of this NOTICE TO USERS? I'm sure I'm not the only one who sees this, but is it new? I don't remember ever seeing it before.

Edited November 29, 2012 by whitehat

[digip]

I've never seen anything change my startup on me before, or post messages like that, but if it was part of a pushed updated, or as you said even, software you installed that would make more sense. I would post on the Backtrack forums in general though, and also reseach the software you mentioned, Bastille, to see if thats part of it. Grep your system for the text of the message in the bastille files for instance, to see if thats where it came from, or google Bastille and see what others have said afterward, but no, I do not see the message "notice to users" on mine. I haven't done any updates lately nor updated to r3 yet either, but never heard of backtrack doing that and referring to logged on owners as "notice to users" of any kind.

[whitehat]

Thanks, my friend. I will do so and report back.

[digip]

Just downloaded it from sourceforge, and grepped it, in file SecureInetd.pm line 323 I see a "notice to users" so I would say, Bastille is the culprit.

***************************************************************************

NOTICE TO USERS

This computer system is the private property of $owner, whether

individual, corporate or government. It is for authorized use only.

Users (authorized or unauthorized) have no explicit or implicit

expectation of privacy.

Any or all uses of this system and all files on this system may be

intercepted, monitored, recorded, copied, audited, inspected, and

disclosed to your employer, to authorized site, government, and law

enforcement personnel, as well as authorized officials of government

agencies, both domestic and foreign.

By using this system, the user consents to such interception, monitoring,

recording, copying, auditing, inspection, and disclosure at the

discretion of such personnel or officials. Unauthorized or improper use

of this system may result in civil and criminal penalties and

administrative or disciplinary action, as appropriate. By continuing to use

this system you indicate your awareness of and consent to these terms

and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the

conditions stated in this warning.

****************************************************************************

Sounds pretty whacky, but maybe security through obscurity to scare potential thieves or other users from messing with it..lol

Edited November 29, 2012 by digip

[whitehat]

Ah ha! You did find the culprit. Also, the same message is apparently part of Ubuntu, and a dormant part of BackTrack.

I fixed the start up message. The original, which you quoted, was a bit too much 1984, anti-user "no expectation of privacy" BS for my taste. Now it says:

***************************************************************************

NOTICE TO USERS

Hack me and I'll hack you back :)

Go on, try it!... but you gotta ask yourself -- do you feel lucky?

Well do ya, punk?

****************************************************************************

Btw did you try Bastille? I like it, asides from this boot up annoyance.

Here's how I changed the message (this is from an ubuntu guide i googled last night):

Display a Banner

If you want to try to scare novice attackers, it can be funny to display a banner containing legalese. This doesn't add any security, because anyone that's managed to break in won't care about a "no trespassing" sign--but it might give a bad guy a chuckle.

To add a banner that will be displayed before authentication, find this line:

#Banner /etc/issue.net

and replace it with:

Banner /etc/issue.net

This will display the contents of the /etc/issue.net file, which you should edit to your taste. If you want to display the same banner to SSH users as to users logging in on a local console, replace the line with:

Banner /etc/issue

Edited December 1, 2012 by whitehat

[digip]

I haven't tried it, but to be honest, I don't know a whole lot about linux, so don't want to install things like that which, while it may be great to help others, don't want it messing with what I've already come to expect from BT. I'm actually installing VMware tools in BT5 R3 Gnome 32bit as we speak...