Hi guys
All of a studden my super user password was gone.Gone in the sense that for the password,All I have to do is hit the enter button.I realised this after many futile attempts.There is nothing abnormal in the log file.(may be they r erased)
BUT ,I did not have any boot loader password at that time.(Now I have).Could that be how someone broke into my system?Or is my sytem broken into or is this some kind of a bug?

I have a number of services running on my comp like ftp,telnt,ssh,http and so on......

Plz suggest me some causes/solutions

Tinku

try this,

boot ur system and

press 'e' when boot loader prompt comes

at the end of kernel parameter line type
" linux single"

and then type 'b' (for boot)

and then
#passwd root


In detail
=======
You can change your root password from single user mode or rescue mode. Getting into single use mode depends on your bootloader:

* LILO: When the system comes to the LILO: prompt, type linux single. When you get the # prompt you will need to type passwd root. This will update the password to a newer one. At this point you can type exit and your system should return to the boot sequence. Alternatively, you can reboot your system with the shutdown -r now or reboot commands. The system should boot up normally. You can now use your new root password to gain root access.

If LILO is configured to not wait at the boot menu (timeout value in /etc/lilo.conf set to 0) you can still halt the boot process by pressing any key in the split second before LILO boots the kernel.

* GRUB: Booting into single user mode using GRUB is accomplished by editing the kernel line of the boot configuration. This assumes that either the GRUB boot menu is not password protected, or that you have access to the password if it is.

At the boot prompt, select the kernel that you wish to boot with and press 'e' (for edit). You will now be taken to a screen where you can edit the boot parameters. Move the cursor to the kernel line and press 'e' again. Now append an 'S' to the end of the line, press Return, and then 'b' (for boot). The system will now start in single user mode and you can change the root password using the passwd command.

If the GRUB boot menu is password protected and you do not have access to the password, then you will need to use a rescue disk to boot the system. Follow the instructions given by the rescue disk boot process to recover your installation and then chroot to your system image (usually accomplished by issuing the command chroot /mnt/sysimage). From this point you should be able to use the passwd to change the root password of the system.

-jack

emailssent, he is saying the root password is blank.

If someone using the system as root did not change it, then someone else probably did. If you don't need telnet, ssh, ftp, etc. then turn them off. Especially telnet. Turn off all services you know you don't need.

EDIT:
And read up on linux and Suse security docs. You will want to make the services you need more secure. And if you don't have a firewall, get one.

Granted, it's important to fix the system, but you really need to find out what happened to the password authentication in the first place. Did you modify any of the system (especially PAM) config files recently or make any other modifications to the system. You should also verify the integrity of the pam and login rpms (I think /bin/login is part of the shadow rpm in SuSE). It's also a really good idea to run a check for rootkits with chkrootkit and/or rootkit hunter, as they have a tendency to bork the init and authentication files.

@darthtux

OK

Can you elaborate a bit more on the above issues?
Thanx for the help

I will check for rootkit and post the results a little later tonight.


Tinku

I checked for rootkits , but Ididnt find any

You might want to update your "chkrootkit" installation and check again. Also, check your servers' (if you're running any: Check for that by typing "netstat -tap|grep LISTEN" as root) log files for wierd remote logins. Best to have installed the "portsentry/hostsentry" python script(s). They check for remote logins and dump them to "/var/log/messages" . Also, check permissions of "/etc/password" & "/etc/shadow". Normal users should not be able to write to them.

Were you modifying any user or system configuration settings? Installing any relevent applications? Updating any of the authentication or login binaries? There are a number of ways this could happen by accident, so I was trying to be as vague as possible. I would rather eliminate this as a possibility now, rather than spend time searching for intrusion clues only to find out that a system update borked something or that you were tinkering with PAM, etc.

I have the same opinion.I doubt that my system has been broken into,because I am behind a firewall ,on a local lan ,with internet access.So,the chances that I am broken into are less.But what I would like to say is that the same incident happened a few days before too. I didnt give it much thought that time,thinking it to be a mistake of some sort on my part,But now that the same incident repeated a 2nd time and that my comps security is at stake ,considering that I run an ftp,ssh server,I am very much worried

I did not modify any system configuration settings. I remember doing the following before it happend.But I dont think its relevant

$ rm -rf .x*
$ rm -rf .X*


for both user and root.


Any help is appreciated

Tinku