Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
One word : rootkit.
Other option : you're not the only Root in the system and someone "bugs" you...
Passwords do not change like that, someone changes passwords. Had the very same issue with a colleague...
I suspect someone in your organisation to sabotage you.
Of course, distilling that from what meager details you provided.
If this does not answer your question, expand with more details so we can help further if need be.
Is this a server or your home computer ?
Static or Dynamic Ip address ?
Have you changed anything recently or installed new software ?
Have you checked your logs for suspicious activity ?
Has anything been altered apart from the root password ?
We need as much information as possible to help, as this could be a serious problem for you.
Are you yourself a 'sudoer' ?
If you are quickly do a sudo passwd root and take the machine offline, its highly possible that if your root password is changing you've been cracked.
no it is a home computer,
I am added in a sudoer file , still it is not taking passwd, when m trying sudo.
Also , i have reset passwd in the shadow file, means , i stated passwd for root as '*' in the shadower file, & then changed the root passwd from runlevel 1, still it is not logging as root, "Authentication failed" !!!
So you cant even use sudo ? I'm guessing you cant use sudo anymore because you've been wiped off the sudoers file and the root password has been changed.
I would say someone has definitely cracked your machine. Was it up to date with a firewall ? Well doesn't matter now anyway...... If i were you, i would definitely take your machine offline right now (if you haven't already done so) i would then chroot the machine and change the password. You could then get log files, but i doubt they would be there anymore, most probably wiped into cyber oblivion.
Another option would be to chroot and copy all the important files and wipe the system.
Sorry to be the bearer of bad news.
Dont worry though - i became part of Chinese botnet once !!!!
Wait.
So, you are allowed to use sudo? Does your sudo authentication work? It requires your password, not the root's one. (That's one of more differences between su and sudo).
Also, does the password change more times automatically, or just once after your change?
Now, in case that sudo does not work, to regain root access, you can try this:
1. Disable network on machine (the best approach is to plug out network cable).
2. Check root's password hash in shadow file.
3. Change root's password to something simple.
4. Did hash change? Can you log in now?
5. If not, try to encrypt your password the system way by yourself, and compare it with the hash in shadow file. Do they match?
As other stated, it is possible that there is another root person at that computer (possibly just trying to figure out what is happening to root password). Rootkit/&etc is also possible. The bad thing is, that if it's really something like that, you can't trust what you see. Try booting different kernel then.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.