su - not working, worked after reboot
Hello,
Usually login via user, and 'su -' to root, cut and past password via ssh in terminal. Login via user worked ok. I then typed su - and got password failure. I can't remember changing anything since about 30 minutes earlier when I su and password accepted. auth log: Sep time xxx sshd[18993]: Accepted publickey for xxx from X.X.X.X port xxx ssh2 Sep time xxx sshd[18993]: pam_unix(sshd:session): session opened for user xxx by (uid=0) Sep time xxx su[19027]: pam_unix(su:auth): authentication failure; logname=xxx uid=1000 euid=0 tty=/dev/pts/0 ruser=xxx rhost= user=root Sep time xxx su[19027]: pam_authenticate: Authentication failure Sep time xxx su[19027]: FAILED su for root by xxx Sep time xxx su[19027]: - /dev/pts/0 xxx:root Sep time xxx su[19029]: pam_unix(su:auth): authentication failure; logname=xxx uid=1000 euid=0 tty=/dev/pts/0 ruser=xxx rhost= user=root Sep time xxx su[19029]: pam_authenticate: Authentication failure Sep time xxx su[19029]: FAILED su for root by xxx Sep time xxx su[19029]: - /dev/pts/0 xxx:root Sep time xxx su[19033]: pam_unix(su:auth): authentication failure; logname=xxx uid=1000 euid=0 tty=/dev/pts/0 ruser=xxx rhost= user=root Sep time xxx su[19033]: pam_authenticate: Authentication failure Attempting root login via ssh password: Sep time xxx sshd[19038]: SSH: Server;Ltype: Version;Remote: X.X.X.X-xxx;Protocol: 2.0;Client: OpenSSH_5.9p1 Debian-3 Sep time xxx sshd[19038]: SSH: Server;Ltype: Kex;Remote: X.X.X.X-xxx;Enc: aes128-ctr;MAC: hmac-md5;Comp: none [preauth] Sep time xxx sshd[19038]: SSH: Server;Ltype: Authname;Remote: X.X.X.X-xxx;Name: root [preauth] Sep time xxx sshd[19038]: Postponed keyboard-interactive for root from X.X.X.X port xxx ssh2 [preauth] Sep time xxx sshd[19040]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X user=root Sep time xxx sshd[19038]: error: PAM: Authentication failure for root from X.X.X.X. Sep time xxx sshd[19038]: Postponed keyboard-interactive for root from X.X.X.X port xxx ssh2 [preauth] Sep time xxx sshd[19041]: pam_unix(sshd:auth): conversation failed Sep time xxx sshd[19041]: pam_unix(sshd:auth): auth could not identify password for [root] Sep time xxx sshd[19041]: error: ssh_msg_send: write Then, I rebooted, and I then did ssh again, and su password was accepted as normal. ------------ /etc/pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so suauth.allow suauth.nopass auth required pam_wheel.so use_uid auth include system-auth account include system-auth password include system-auth session include system-auth session required pam_env.so session optional pam_xauth.so ------------ I also have someone nonestop hitting my port 8118 eventhough it is set to deny in firewall...blowing my kern log to 600MB and counting... Sep 8 00:38:19 xxx kernel: [ 1580.964432] RULE 9 -- DENY IN=eth0 OUT= MAC=xxx SRC=99.58.56.225 DST=X.X.X.X LEN=380 TOS=0x00 PREC=0x00 TTL=43 ID=0 DF PROTO=UDP SPT=2643 DPT=8118 LEN=360 SRC=173.254.197.26 SRC=50.93.203.216 SRC=50.93.200.96 SRC=173.254.197.248 It is coming from numerous other ips All the ips hitting my port 8118. spoofed ips? Only thing I can think of is someone changed the password, and changed it back right before or right after I rebooted? Unless I have a momentary fluck with my clipboard on the client machine? So the question basically is, is there any reason why su would apparently stop working, and then start working again after a reboot and not changing anything? My other question is I just noticed,"aes128-ctr", shouldn't I be using at least aes256? Reinstall? Thanks. |
still happening
I just logged in again and experiencing the same problem. I cannot su to root.
|
Hey. I think this issues is closed as a root level access...it happened again and I had to change the password from CD, nogo on console or ssh. server back up and running fine...
What would have been the motive of the attacker? The server is all public content...therefore, why not just hide in the background, why obvious and change the password? I am stumped. |
All times are GMT -5. The time now is 08:08 PM. |