LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-13-2005, 01:50 PM   #1
defa0009
Member
 
Registered: Jun 2003
Posts: 185

Rep: Reputation: 31
Question My root password has changed?!!! Proxy was installed?


I used putty to login to my Redhat9 server this morning and when I su -root is says access denied?! Any ideas what could bring this on? Passwords don't change on their own!

Last edited by defa0009; 05-13-2005 at 07:57 PM.
 
Old 05-13-2005, 02:32 PM   #2
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 66
Are there any strange processes running? Does last show any odd login times? Is there anything strange in /tmp? Your right... passwords don't change on there own.
 
Old 05-13-2005, 02:51 PM   #3
defa0009
Member
 
Registered: Jun 2003
Posts: 185

Original Poster
Rep: Reputation: 31
In /tmp there is hsperfdata_john hsperfdata_root Xvfb_screen0


Xvfb is for my virtual screen buffer...
 
Old 05-13-2005, 02:54 PM   #4
defa0009
Member
 
Registered: Jun 2003
Posts: 185

Original Poster
Rep: Reputation: 31
Do passwords expire?
 
Old 05-13-2005, 02:55 PM   #5
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 66
Only if you set an expiration date on it when you created it...
 
Old 05-13-2005, 02:58 PM   #6
defa0009
Member
 
Registered: Jun 2003
Posts: 185

Original Poster
Rep: Reputation: 31
Quote:
Originally posted by jtshaw
Only if you set an expiration date on it when you created it...
and then it should give you some sort of countdown rite?
 
Old 05-13-2005, 03:05 PM   #7
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 66
I'd expect to get a few e-mails to the account when it was about to expire, yes.
 
Old 05-13-2005, 03:12 PM   #8
defa0009
Member
 
Registered: Jun 2003
Posts: 185

Original Poster
Rep: Reputation: 31
If someone hacked in why would they change the password?
 
Old 05-13-2005, 03:52 PM   #9
fur
Member
 
Registered: Dec 2003
Distribution: Debian, FreeBSD
Posts: 310

Rep: Reputation: 35
Quote:
when I su -root is says access denied
Maybe just a typo but make sure there is a space before and after the "-", or just "su -" will take you to root.

Did you recently do any upgrades or install any new software? Sometimes if the user that you are trying to su as is not the the wheel group you can receive a error like that.

Are you able to physically login locally to the server, or is it in a colo facility or something?
 
Old 05-13-2005, 05:39 PM   #10
defa0009
Member
 
Registered: Jun 2003
Posts: 185

Original Poster
Rep: Reputation: 31
Seems i have been comprimised... someone or some script installed a proxy (squid)... what do
u think they wanted to use that used for? And why would it change my root password? And my firewall is gone! And all the logs are gone?
 
Old 05-13-2005, 05:56 PM   #11
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 66
Step 1... unplug network
Step 2... Replace your root password
Step 3... figure out why your firewall was so terribly ineffective
Step 4... shutdown or update any external services
Step 5... plugin network
 
Old 05-13-2005, 05:57 PM   #12
houler
Member
 
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166

Rep: Reputation: 30
ouch...time to reformat and keep up to date. After some learning from your current setup of course.

Last edited by houler; 05-13-2005 at 05:58 PM.
 
Old 05-13-2005, 05:57 PM   #13
defa0009
Member
 
Registered: Jun 2003
Posts: 185

Original Poster
Rep: Reputation: 31
Quote:
Are you able to physically login locally to the server, or is it in a colo facility or something?
It's a colo server down in Detroit...
 
Old 05-13-2005, 05:59 PM   #14
defa0009
Member
 
Registered: Jun 2003
Posts: 185

Original Poster
Rep: Reputation: 31
Why would they install a proxy?
 
Old 05-13-2005, 06:06 PM   #15
rshaw
Senior Member
 
Registered: Apr 2001
Location: Perry, Iowa
Distribution: Mepis , Debian
Posts: 2,694

Rep: Reputation: 45
it's kinda an amateurish attempt, normally one would not want to call attention to the break in, if they want to use your bandwidth for any length of time, by changing the password and deleting the logs.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
system changed my root-password supersucker Linux - Software 2 01-16-2005 02:12 PM
Help Root password changed!!! UmneyDurak Fedora 4 09-28-2004 02:47 PM
someone changed my root password. what do i do? budds Linux - Security 4 09-12-2004 01:09 AM
Allright, changed root password and questions about adding users RIOMX Linux - Newbie 2 10-30-2003 04:28 PM
Somebody changed my root password. Help needed Heartz Linux - Newbie 1 04-13-2002 05:44 PM


All times are GMT -5. The time now is 01:46 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration