LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-13-2005, 10:32 AM   #1
jameskilbane
LQ Newbie
 
Registered: May 2004
Posts: 3

Rep: Reputation: 0
Root Password Keeps Changing


Hi all. Currently on my site i have Red HAt Enterprise 3 working as a Samba Server & Red Hat 7.3 working as a firewall/proxy server. My problem is as follows. Every couple of days, the root password on my Red HAt 7.3 changes & i have to reboot in Single user mode & reset the password. Can anybody explain or give me a solution to why this happening as I am worried that a system attack / failure is occuring. Many thanks in advance of your replies.
 
Old 10-13-2005, 11:06 AM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,017
Blog Entries: 5

Rep: Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787
Weird. We're running RHEL AS 3 and haven't seen this.

Do you have any other sysadmins that have the root password?

When you reset the password are you picking a new one or using the one you had before? I'd suggest a new one just to make sure it is not someone who has the old one that keeps changing it.

Do a find for root owned files that have the suid bit turned on. Any such file is executed as root no matter so if it is compromised (say it is is a script to which someone added "su -") it will be done as root. "find / -perm 4755" for example would find all files that had rwsr-x-r-x permissions - the "s" tells you the suid bit is turned on. Because it has execute by ANY users (the final r-x) it means any user can run it as root. I run the find for each of 4777, 4775, 4755 etc... - basically for any mode in which anyone other than the user (root) would be able to write the file (so no reason to search for 4744 because though it is readable by everyone else only root could write to it.)

Also do you use sudo? I've seen poorlly done sudo implementations where they would add permission to use vi in sudo. Since it is run as root by sudo any shell escape (you can do :!/bin/bash fom within vi to go to shell) would automatically put the user at a root prompt. Verify you don't have any utilities that allow such shell escapes defined in sudo. Also verify that any scripts that you allow to run in sudo are ONLY writable by root because as with the suid files a user could compromise it by modifying the script to do something like "su -".
 
Old 10-13-2005, 11:23 AM   #3
jameskilbane
LQ Newbie
 
Registered: May 2004
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks, will try your suggestions. I will let you know how i get on.
 
Old 10-13-2005, 03:17 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Just to add to that, look at roots bash_history file for any odd activity and take a close look at the output of the "last" command for any logins that look abnormal. It's probably a good idea to run rkhunter or chkrootkit on the system and verify the integrity of binaries with rpm -Va . You should also look around the filesystem for any abnormal files/dirs, especially in places like /tmp.

If the system in question is running RH 7.3, how have you been keeping it updated with securty patches?

Last edited by Capt_Caveman; 10-13-2005 at 03:21 PM.
 
Old 10-14-2005, 04:51 PM   #5
rino.caldelli
Member
 
Registered: Apr 2005
Location: perugia
Distribution: ubuntu
Posts: 181

Rep: Reputation: 31
I think I've figured it out

http://rinonapo.atspace.com
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
changing root password Bombo Linux - Newbie 2 04-10-2005 10:42 PM
changing root password minm Linux - Newbie 9 08-31-2004 03:03 AM
Changing the root password divsky Linux - Newbie 4 04-03-2004 10:02 PM
Changing root password Gibby Mandriva 1 10-02-2003 10:38 PM
changing root password jamaso Linux - Newbie 1 12-25-2001 10:38 PM


All times are GMT -5. The time now is 11:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration