Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi guys
All of a studden my super user password was gone.Gone in the sense that for the password,All I have to do is hit the enter button.I realised this after many futile attempts.There is nothing abnormal in the log file.(may be they r erased)
BUT ,I did not have any boot loader password at that time.(Now I have).Could that be how someone broke into my system?Or is my sytem broken into or is this some kind of a bug?
I have a number of services running on my comp like ftp,telnt,ssh,http and so on......
at the end of kernel parameter line type
" linux single"
and then type 'b' (for boot)
and then
#passwd root
In detail
=======
You can change your root password from single user mode or rescue mode. Getting into single use mode depends on your bootloader:
* LILO: When the system comes to the LILO: prompt, type linux single. When you get the # prompt you will need to type passwd root. This will update the password to a newer one. At this point you can type exit and your system should return to the boot sequence. Alternatively, you can reboot your system with the shutdown -r now or reboot commands. The system should boot up normally. You can now use your new root password to gain root access.
If LILO is configured to not wait at the boot menu (timeout value in /etc/lilo.conf set to 0) you can still halt the boot process by pressing any key in the split second before LILO boots the kernel.
* GRUB: Booting into single user mode using GRUB is accomplished by editing the kernel line of the boot configuration. This assumes that either the GRUB boot menu is not password protected, or that you have access to the password if it is.
At the boot prompt, select the kernel that you wish to boot with and press 'e' (for edit). You will now be taken to a screen where you can edit the boot parameters. Move the cursor to the kernel line and press 'e' again. Now append an 'S' to the end of the line, press Return, and then 'b' (for boot). The system will now start in single user mode and you can change the root password using the passwd command.
If the GRUB boot menu is password protected and you do not have access to the password, then you will need to use a rescue disk to boot the system. Follow the instructions given by the rescue disk boot process to recover your installation and then chroot to your system image (usually accomplished by issuing the command chroot /mnt/sysimage). From this point you should be able to use the passwd to change the root password of the system.
emailssent, he is saying the root password is blank.
If someone using the system as root did not change it, then someone else probably did. If you don't need telnet, ssh, ftp, etc. then turn them off. Especially telnet. Turn off all services you know you don't need.
EDIT:
And read up on linux and Suse security docs. You will want to make the services you need more secure. And if you don't have a firewall, get one.
Granted, it's important to fix the system, but you really need to find out what happened to the password authentication in the first place. Did you modify any of the system (especially PAM) config files recently or make any other modifications to the system. You should also verify the integrity of the pam and login rpms (I think /bin/login is part of the shadow rpm in SuSE). It's also a really good idea to run a check for rootkits with chkrootkit and/or rootkit hunter, as they have a tendency to bork the init and authentication files.
Originally posted by Capt_Caveman
Did you modify any of the system (especially PAM) config files recently or make any other modifications to the system. You should also verify the integrity of the pam and login rpms (I think /bin/login is part of the shadow rpm in SuSE). .
Can you elaborate a bit more on the above issues?
Thanx for the help
I will check for rootkit and post the results a little later tonight.
You might want to update your "chkrootkit" installation and check again. Also, check your servers' (if you're running any: Check for that by typing "netstat -tap|grep LISTEN" as root) log files for wierd remote logins. Best to have installed the "portsentry/hostsentry" python script(s). They check for remote logins and dump them to "/var/log/messages" . Also, check permissions of "/etc/password" & "/etc/shadow". Normal users should not be able to write to them.
Originally posted by Tinku Can you elaborate a bit more on the above issues?
Were you modifying any user or system configuration settings? Installing any relevent applications? Updating any of the authentication or login binaries? There are a number of ways this could happen by accident, so I was trying to be as vague as possible. I would rather eliminate this as a possibility now, rather than spend time searching for intrusion clues only to find out that a system update borked something or that you were tinkering with PAM, etc.
Last edited by Capt_Caveman; 10-21-2004 at 07:11 PM.
Originally posted by Capt_Caveman
Were you modifying any user or system configuration settings? Installing any relevent applications? Updating any of the authentication or login binaries? There are a number of ways this could happen by accident, so I was trying to be as vague as possible. I would rather eliminate this as a possibility now, rather than spend time searching for intrusion clues only to find out that a system update borked something or that you were tinkering with PAM, etc.
I have the same opinion.I doubt that my system has been broken into,because I am behind a firewall ,on a local lan ,with internet access.So,the chances that I am broken into are less.But what I would like to say is that the same incident happened a few days before too. I didnt give it much thought that time,thinking it to be a mistake of some sort on my part,But now that the same incident repeated a 2nd time and that my comps security is at stake ,considering that I run an ftp,ssh server,I am very much worried
I did not modify any system configuration settings. I remember doing the following before it happend.But I dont think its relevant
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.