LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 01-25-2005, 09:09 AM   #1
rockfort
LQ Newbie
 
Registered: Jun 2004
Location: Texas
Distribution: Fedora Core 1 & Red Hat 7.2
Posts: 9

Rep: Reputation: 0
Password Recovery


I need your help!!!!! 5 years with Linux and for the 1st time, one of my systems (web/mail server) has been compromised. I am uusing Fedora Core 1. Someone hacked my server and changed the root password. Can some please give me a step by step as to how to get in and recover my password on my server . I am not as advanced with Linux as I should be. I really would appreciate it.. I definitley need you help ASAP
 
Old 01-25-2005, 11:47 AM   #2
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 57
boot with fedora core1 CD

go to rescue mode
after ur dropped to shell

run

chroot /mnt/sysimage

and then

passwd root

and set ur password again

regrads
 
Old 01-25-2005, 11:56 AM   #3
halo14
Senior Member
 
Registered: Apr 2004
Location: Surprise, AZ
Distribution: Debian | CentOS | Arch
Posts: 1,103

Rep: Reputation: 45
yep.. that'll do it.. and umm.. perhaps you should be running a more secure-by-default distro for your servers if you are inexperienced with security?? FreeBSD.. and THE MOST SECURE-BY-DEFAULT OS ON THE PLANET... OpenBSD.. come to mind... also.. be sure that you're using a good password... not something like "serverbox" or "chicago" or "easypassword1".. you need to use something better for an externally exposed box.. just randomly spit out letters/numbers/symbols and jumble them up.. if this box is within your house, and you trust people... go ahead and write it down and stick it to the box... that's what I do.. my web server is in my basement and i have the password written right on it... an example password (obviously not my actual one) is something like:

"Dx92yj$@Ne%"

this takes advantage of all password security recommendations...

11 or more characters?....check
Capital letters?....check
Lowercase Letters?....check
Numbers?....check
Special Characters?....check

That would take years to break using any standard password checking tools... I also recommend, if you are going to stick with FC(or anything you use) that one you get it working the way you like.. that you use nmap and scan your box your box for any open ports.. then you'll know what your vulnerabilities are, and what you can/need to shutdown...

Good luck...

Last edited by halo14; 01-25-2005 at 11:59 AM.
 
Old 01-25-2005, 08:18 PM   #4
rockfort
LQ Newbie
 
Registered: Jun 2004
Location: Texas
Distribution: Fedora Core 1 & Red Hat 7.2
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks for the information masand, also thanks halo14 for the reprimand. I do deserve it. I am almost successfull. I get the the part where i type in passwd root and hit enter, but it gives me back message saying :

changing password for user root.
passwd: unable to set failure delay.


then it goes right back to the prompt. I get no time or chance to put in a new password. That those two lines are instantaneous. I have tried over and over again.

Please help me if you know what I am missing in order finish the task..

Thanks
Rockfort
 
Old 01-25-2005, 08:19 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
@rockfort:
If someone has compromised your machine and gotten root, you need to take the box offline and do a full format and re-install. Simply changing roots password doesn't fix the problem of how they got access to the system in the first place or what they may have done since then. With root access installing rootkits, trojaned binaries, or putting backdoors on the system are entirely possible. At the very least you need to verify that none of the files on the system have been modified and use a tool like chkrootkit or rootkit hunter to look for evidence of a rootkit. I'd still highly recommend that you blow it away and reinstall. Regardless of what OS you choose, you should devote some time to securing it.

Last edited by Capt_Caveman; 01-25-2005 at 08:22 PM.
 
Old 01-25-2005, 09:59 PM   #6
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 57
Quote:
Originally posted by Capt_Caveman
@rockfort:
If someone has compromised your machine and gotten root, you need to take the box offline and do a full format and re-install. Simply changing roots password doesn't fix the problem of how they got access to the system in the first place or what they may have done since then. With root access installing rootkits, trojaned binaries, or putting backdoors on the system are entirely possible. At the very least you need to verify that none of the files on the system have been modified and use a tool like chkrootkit or rootkit hunter to look for evidence of a rootkit. I'd still highly recommend that you blow it away and reinstall. Regardless of what OS you choose, you should devote some time to securing it.
there are wise words!!!!

before formatiing ur sytem if u intend to take some backup then u should ve carefull and do not take something which might have been modified

also to secure ur sysetm u should run some monitoring system such as "tripwire"

regards
 
Old 01-26-2005, 05:52 AM   #7
rockfort
LQ Newbie
 
Registered: Jun 2004
Location: Texas
Distribution: Fedora Core 1 & Red Hat 7.2
Posts: 9

Original Poster
Rep: Reputation: 0
Thank you all for advice, all is well taken, I will get Trip wire and Nmap to assistme with future and further scantification of my system(s). What I need now more that ever is to finish getting back into the system. Is it at all possible I do belive so. I reached the level where I can actually try to change the passwd using the instructions from Masand, but i get the following messages when I try;

changing password for user root.
passwd: unable to set failure delay.

I sincereley believe that the culprit(s) have planted something deadly on the system, for once the system is up, the hard disk light just glows from the activity. I will blow away the system but there is mail on there that I need to backup (squirrelmail). So any help with getting back in as root would be very musch appreciated.
 
Old 01-26-2005, 05:54 AM   #8
rockfort
LQ Newbie
 
Registered: Jun 2004
Location: Texas
Distribution: Fedora Core 1 & Red Hat 7.2
Posts: 9

Original Poster
Rep: Reputation: 0
I also forgot to mention that I have bought a Cisco Pix and have put the system behind the pix on the DMZ. The compromise happened before that..
 
Old 02-01-2005, 06:19 AM   #9
subhasis_ray
Member
 
Registered: Jul 2001
Location: india
Distribution: RedHat 7.1,7.2,7.3, 8.0,9.0,Fedora,EL2.1,EL3.0
Posts: 103

Rep: Reputation: 16
Hi rockfort,

This is quite a late reply..... but just another way of recovering your machine's data would be to take the concerned hard disk and install it in another machine as a slave. Mount it and copy all the data out. Then reformat after putting it back in the original machine....

Regards

Subhasis Ray
 
Old 02-01-2005, 06:28 AM   #10
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 57
Quote:
Originally posted by subhasis_ray
Hi rockfort,

This is quite a late reply..... but just another way of recovering your machine's data would be to take the concerned hard disk and install it in another machine as a slave. Mount it and copy all the data out. Then reformat after putting it back in the original machine....

Regards

Subhasis Ray
the main problem here is that he is not able to login as root to take his backup

regards
 
Old 02-01-2005, 09:12 PM   #11
subhasis_ray
Member
 
Registered: Jul 2001
Location: india
Distribution: RedHat 7.1,7.2,7.3, 8.0,9.0,Fedora,EL2.1,EL3.0
Posts: 103

Rep: Reputation: 16
Masand,

He can surely get another working machine, and atach this affected HDD to it. Then boot it up and mount the partition...... This is what I am trying to say....


-Subhasis
 
Old 02-02-2005, 06:12 AM   #12
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 57
Quote:
Originally posted by subhasis_ray
Masand,

He can surely get another working machine, and atach this affected HDD to it. Then boot it up and mount the partition...... This is what I am trying to say....


-Subhasis
in that case the problem will be he might not end up copying some modified file like rootkit

regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Root Password Recovery ? Pravat Linux - Security 1 04-24-2005 04:46 AM
password recovery JesseMor Linux - Security 2 09-10-2004 06:18 PM
Password Recovery (not root) NewbGhostShells Linux - Newbie 3 12-17-2003 03:03 PM
Password recovery mikeshn Linux - Security 1 09-08-2002 09:50 AM
Windows XP password recovery Scorcher2005 General 32 05-13-2002 10:49 AM


All times are GMT -5. The time now is 02:41 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration