Hello and welcome to LQ. Hope you like it here.
Originally Posted by sandeeprana
Suddenly systems have stopped accepting any user account...
neither root password is working even if it is true
Your first task is to find out the reasons why and when
(that's two questions) the systems behaviour changed.
For that you'll have to find out (ask around if necessary):
- who manages the systems?
- who have access to (which parts of) the systems?
- what services do these systems provide?
Record system data just in case:
- processes (ps axfwwwe)
- network (netstat -na)
- open files (lsof -n)
The answers to the "who and what" questions guide you where look for changes in the system in case of anything not default.
Minimally you'll want to check:
- system login records (last, lastb, /var/log/secure),
- all system logs in /var/log,
- all daemon logs,
- any logs made by update tools,
- output of 'rpm -qVva',
- output of Chkrootkit, Rootkit Hunter, OSSEC, Aide, Samhain or even tripwire only if installed before the incident
If there's cause for alarm do not neglect but do investigate previous (e-mail) correspondance with respect to reported errors by users and fellow admins, malfunctions and any hunches or gut feelings. If there's cause for alarm you also might want to use the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html
If you report back please report *exact* errors, output or log lines, preferable in BB code tags.