Centos 5.4 Root Password Changed and or System Comprimised
I made a attempt to access my Centos 5.4 system this morning and need to modify a file that required su access. When I attempted to "su" I could not get in with the password that I set. I rebooted the server which made no difference. Either I have been comprimised or I had forgotten my password. How can one reset the admin password to a system and where would I begin looking to see if the system was comprimised?
|
I figured out how to change my root password after you forget it but I need to figure out of this was a comprimise. Where to begin?
|
If your server was compromised, nothing to ensure that you can make it clean. Do you have any monitoring tools, IDS, ... installed on the server?
|
No,
I was thinking about installing tripwire and IDS like snort. Would that be the bare essentials? |
One starting point is to start looking for unusual programs running/listening:
lsof -Pwn netstat -pane ps -axfwwwe I'd also have a good look at the log files and root's .bash_history file. The CERT Checklist is always a good place to start as well. And as quanta suggested, if you have any monitoring tools running, now would be a good time to bring them into the picture. |
Quote:
Installing these now would be pretty pointless. Neither of those is going to work particularly well if the machine has been compromised. As far as tripwire alternatives, take a look at Aide or Samhain. You also might want to think about SELinux since you're running CentOS. Other measures like mod_security might be worth a look, but we'd probably need to have a better idea of what this box is used for and what is currently running. |
I am running a chkrootkit on the server as I type this message. I appreciate the advice and you are right that once the system has been compromised what is the worth of putting and IDS and tripwire. I am wondering if an update could have done this. This has never happened to me before so I am very suspicious.
|
I think auditd would be running by default, perhaps if you were compromised by a script it would forget about sanitizing auditd.
|
Quote:
|
also " su " VS. " su -"????
is the system $PATH 100% the same for the normal user as for root ? most of the time they are NOT the same -- for security reasons /sbin & /usr/sbin and NOT normally in the normal user's $PATH as to the system cracked did you leave the SEinux default setting set to "enforcing " ? or set it to "permissive" or OFF SE is not 100% but it will stop 95%+ |
I looked at the /var/log/secure and I see a gap in entry log that is unusual:
PHP Code:
PHP Code:
|
when looking at the audit.log how can one tell the date and time. I dont specifically see anything that specifies that. Also SEliux is not running. I also ran
PHP Code:
PHP Code:
PHP Code:
|
here is the output of my firewall on the box:
PHP Code:
|
Quote:
Quote:
Quote:
I think at this point it would be useful to do a few things. First, look to see if there is anything unusual running on the box. The ps, lsof and netstat commands I posted earlier would be a good place to start. If there are unusual services, that is not a good sign. If the normal complement of stuff is there, it would be good to verify that the binaries are what is expected using rpm -Vv. Second, since you do have a date, I would examine the machine for files that have been altered or added since the 10th. Since the root password changed, I would also have a good look at root's .bash_history and see if anything jumps out as bizarre. If they have managed to alter the logs, they have probably also altered .bash_history, but it probably doesn't hurt to take a look. Look at your last output and see if any new users crop up or if old users are logging in at unusual times (particularly root). By the way, feel free to email me any output too big to post here. |
Many thanks for all the responses. How is my firewall looking?
|
All times are GMT -5. The time now is 06:26 PM. |