Hi Folks,
I am under the impression that my linux box has been compromised. I am not really a network admin guy, my root password was toor for some period of time.

The reason I suspect this is that I am no longer able to login as root anymore. I dont have anything important on my box. (Red Hat Linux 8) SO I have decided to format the linux partition.

My questions are

1) Would it be possible that my box has been used for some sort of foul play. In that case, what should I be worried about?

2) How does an attacker gain hold of my root password?


Cheers,
MR TIRED.

physical access to a lot of linux pc's is enough to gain root access, you dont even need the root password and there are still a few ways of how to change the root password.

ssh would be the least likely way an attacker would use gain access to your pc through.

other apps (which in most cases are not patched or correctly secured) can be more vulnerable than ssh.

being connected to the internet 24/7 with an incorrectly secured pc is a vulnerability.

unfort. you have erased any data that could have been used to really verify if you system had been cracked.

in most cases, you gain root access without a root password.

make sure you have a descent root password. block incoming traffic on ports you do not want to be open.

a good think is to start of with blocking everything incoming, and allowing RELATED, ESTABLISHED (this means, all that you request, comes back into your system) this ensures connections cannot be established from the outside (this is not 100 percent secure, but will stop all attackers that 'just for fun' would want to crack your system - all black-hats that could still crack your system, will rather want to spend time cracking something where they gain a benifit from!)

important:
- never erase your log files!!
- keep backups of /etc stored elsewhere (ie. cd/floppy/sd/mmc...)
- make sure shadow is chmod 620 and chown root:shadow
- also passwd should be chmod 622 and chown root:root
- dont use sudo. if you must though, read the man page and secure it, so no user has rights in a sudo env. to change root's passwd.
- check you do not have unknown users in your system... do this by copying passwd and comparing the copy with the original.
- check your logs

oh, you can also harden your kernel...
ie: http://lids.org/

it is not good idea to use redhat 8.0 for security reasons. it is an old distro and not updated. i can suggest centos ( www.centos.org ), it is almost same as RHEL, surely u wont have redhat support.

good luck.

Thanks for your help folks. My system I use only for browsing the internet. Nothing else. I actually use a dialup to connect to the internet. Since the other user I created could not dialup, I used the root login to dialup. Everything was fine, until one day, I could not login as root.

I am reinstalling Mandrake Linux now.