What should I do when I find somebody changed my root password?
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What should I do when I find somebody changed my root password?
Hi, all:
I have a server, running on Slackware 13.1, has openssh&openssl update to current.
Today I find I can not access my root account, password is not correct, I believe somebody break my security rules, nobody has account on this machine, I have LAMP running on it.
What should I do at the moment? I have cut the network down, I think I can mount disk, clear root password, but what should I do next? How to find and clear the Cracker?
If a system is compromised, then the right thing would be to recover data and if necessary do forensics with a forensic distro.
The system should be reinstalled after that
just a few hints (these matters cannot be dissected on every aspect in forum posts, I think, there is people working on them for years and tons of docs to read):
first, be sure you haven't simply forgotten your root password: I manage a lot of hosts and (I know it's a stupid mistake but) it happens to me once in a while.
then, if it's really compromised, nothing will resume a clear situation as a reinstall.
but, if I were you, I would have a look at the things you're running on your lamp server and the lamp setup too (if you have changed something from the defaults) to avoid a comeback of the crackers: if they broke in they most probably have done it by some bugged webapp (but they have to be really bleeding edge, as the lamp software coming with slack 13.1 is up-to-date).
Thanks for all your reply, I am trying to find what happened now, I do not know how they are in. I need to find what happened, otherwise, after I reinstall it, I can not believe it's safe again.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.