I have a RH 7.1 webserver and I am unable to log in as root.

I checked the /etc/passwd file and found a mysterious user, pacpac.

I have disconected the server from the network.

How can I get root back?
Or what should I do?

Thanks

Hi there, if he corrupted your security do not delete any of the system, do not re-install everything befor you have found the precise hole he used, and report it to where you can. (Specialy the owner(s) of the software) You should also retrace the malicious user because it well know what comes, goes, and comes back. IF he deleted all thelogs no worrie put the system back up as it is corrupted but stay 100% of the day and night tailing all logs and tcpdump (or sniffit -i).

Now to get your password back, ive install a late version of red-hat (erreta i think) and it came will a Grub (i had the choise) hopfully ull have LiLo running.

Un Plug Your box, or reboot it used the Magic Sys Keys (kernel hacking must be enabled) and shut down your system.

At the boot up, you get lilo press tab / cap whatever to get the lilo:

and type lilo :"linux init=/bin/sh rw" i think else you must look up on google. When you succeed simple run passwd and change the root password.

YOu should also install aide, bastille, and all other defense and intrusion detection software.

In addition to this, if you can't establish a probable cause of compromise by using Aide, Tripwire and chkrootkit, please reinstall from scratch and use different passwords. Leaving a backdoor is quite simple, and if the passwords are cracked access is even simpler.

I am going to re-install with RH7.2 and start using IPtables and tripwire.

I'm also going to try and send some of the log files to my other box.

Thanks for all the help.

if you are remote logging, you may want to look into hacking syslog to read the syslog.conf file from somewhere else, then place the normal conf file there. that way the hacker doesn't know that you are remote logging and may not look for them.

When you use remote login, I'd configure it to allow it only from certain IPs. If it's possible, do this.

make your password hard to crack:

ia@#xkd@!9S is a decent example, but its hard as hell to remember!

RedHat 7.2 tells you if you entered bad password or not.

Hi,


use this password for root. it is impossible to crack it.

%$@@54psf*&gneo0






Regards
Russell.

In my experience of being hacked twice this year on a full production server (serving approx 30 websites + email) you should be wary of just 'rebooting' the server without finding out what damage has been done first and what tronjans, if any, have been installed.

In some cases, rebooting will basically bork your machine out totally !

In any case, you should consider running :-

1.) Chkrootkit
2.) Logwatch
3.) Tripwire

Also, restrict access in total Paranoid mode -

disable anonymous ftp and consider using sftp
only allow ssh sessions from one fixed IP address
remove any unneccessary running services
keep the amount of users on your system at a bare
minimum - if you have users getting email from your
system but they don't need to ever log into the system,
make sure they don't have a shell account !

After a fresh install and setup, back up your critical server
configuration files - basically just backup the whole of /etc

And of course, check security advisories on a daily basis.

the coroner's toolkit comes to mind.

Hmm. I would be surprised if ppl have TCT compiled and ready (anyone tried Biatchux?), read the manuals more than once and practice with it as well. TCT ain't the easiest stuff to start with, you need to have some forensics knowledge and time, like in aeons of time :-]