Been Hacked! May I get control of my Root user again?

xpucto · 11-13-2006, 08:31 AM

Hi!

It looks like I have been hacked last week. I can't log with neither root or other users with sudo rights. I have physicall access to the server and would like to know if there is a possibility to get control over my server (FC 6) again with the help of any tool like a rescue live cd that would allow me to set up a new root's password?

thanks for any help.
P.S. I would like to get in the machine again in order to get a few datas and have a look at the log files. Then I plan to reinstall the whole stuff again.

acid_kewpie · 11-13-2006, 08:35 AM

as long as you don't ever plan to *use* the server to any extent again then that's fine... at the bootloader screen go into edit mode, e in grub, not sure what it is in lilo, and just add a "1" into the kernel options and then boot. this will automatically dump you in as root letting you change whatever you want to...

Fadoksi · 11-13-2006, 02:30 PM

remember if there is a rootkit present, the hackers files can be hidden from the system. If you want to find them, use a livecd.

Capt_Caveman · 11-13-2006, 05:45 PM

To follow up, once you are able to get access to the system, take a look at the links in the security references thread at the top of the forum. Take a look at the section "Compromise, breach of security, detection", In particular the links to CERT's Intruder Detection Checklist and "Steps for Recovering from a UNIX or NT System Compromise" will likely be useful in diagnosing the source of the compromise. Remember that if you are truly compromised, then a full reinstall from trusted media is the *only* way you can be sure that the system is secure.

sfarber53 · 11-14-2006, 07:46 PM

You can find chkrootkit at www.chkrootkit.org. It should show you what needs to be deleted, corrected, etc.

I am running CentOS 4.x and install it on all of my machines. I currently have 3 running CentOS.

Cheers!