I need your help!!!!! 5 years with Linux and for the 1st time, one of my systems (web/mail server) has been compromised. I am uusing Fedora Core 1. Someone hacked my server and changed the root password. Can some please give me a step by step as to how to get in and recover my password on my server . I am not as advanced with Linux as I should be. I really would appreciate it.. I definitley need you help ASAP

boot with fedora core1 CD

go to rescue mode
after ur dropped to shell

run

chroot /mnt/sysimage

and then

passwd root

and set ur password again

regrads

yep.. that'll do it.. and umm.. perhaps you should be running a more secure-by-default distro for your servers if you are inexperienced with security?? FreeBSD.. and THE MOST SECURE-BY-DEFAULT OS ON THE PLANET... OpenBSD.. come to mind... also.. be sure that you're using a good password... not something like "serverbox" or "chicago" or "easypassword1".. you need to use something better for an externally exposed box.. just randomly spit out letters/numbers/symbols and jumble them up.. if this box is within your house, and you trust people... go ahead and write it down and stick it to the box... that's what I do.. my web server is in my basement and i have the password written right on it... an example password (obviously not my actual one) is something like:

"Dx92yj$@Ne%"

this takes advantage of all password security recommendations...

11 or more characters?....check
Capital letters?....check
Lowercase Letters?....check
Numbers?....check
Special Characters?....check

That would take years to break using any standard password checking tools... I also recommend, if you are going to stick with FC(or anything you use) that one you get it working the way you like.. that you use nmap and scan your box your box for any open ports.. then you'll know what your vulnerabilities are, and what you can/need to shutdown...

Good luck...

Thanks for the information masand, also thanks halo14 for the reprimand. I do deserve it. I am almost successfull. I get the the part where i type in passwd root and hit enter, but it gives me back message saying :

changing password for user root.
passwd: unable to set failure delay.


then it goes right back to the prompt. I get no time or chance to put in a new password. That those two lines are instantaneous. I have tried over and over again.

Please help me if you know what I am missing in order finish the task..

Thanks
Rockfort

@rockfort:
If someone has compromised your machine and gotten root, you need to take the box offline and do a full format and re-install. Simply changing roots password doesn't fix the problem of how they got access to the system in the first place or what they may have done since then. With root access installing rootkits, trojaned binaries, or putting backdoors on the system are entirely possible. At the very least you need to verify that none of the files on the system have been modified and use a tool like chkrootkit or rootkit hunter to look for evidence of a rootkit. I'd still highly recommend that you blow it away and reinstall. Regardless of what OS you choose, you should devote some time to securing it.

there are wise words!!!!

before formatiing ur sytem if u intend to take some backup then u should ve carefull and do not take something which might have been modified

also to secure ur sysetm u should run some monitoring system such as "tripwire"

regards

Thank you all for advice, all is well taken, I will get Trip wire and Nmap to assistme with future and further scantification of my system(s). What I need now more that ever is to finish getting back into the system. Is it at all possible I do belive so. I reached the level where I can actually try to change the passwd using the instructions from Masand, but i get the following messages when I try;

changing password for user root.
passwd: unable to set failure delay.

I sincereley believe that the culprit(s) have planted something deadly on the system, for once the system is up, the hard disk light just glows from the activity. I will blow away the system but there is mail on there that I need to backup (squirrelmail). So any help with getting back in as root would be very musch appreciated.

I also forgot to mention that I have bought a Cisco Pix and have put the system behind the pix on the DMZ. The compromise happened before that..

Hi rockfort,

This is quite a late reply..... but just another way of recovering your machine's data would be to take the concerned hard disk and install it in another machine as a slave. Mount it and copy all the data out. Then reformat after putting it back in the original machine....

Regards

Subhasis Ray

the main problem here is that he is not able to login as root to take his backup

regards

Masand,

He can surely get another working machine, and atach this affected HDD to it. Then boot it up and mount the partition...... This is what I am trying to say....


-Subhasis

in that case the problem will be he might not end up copying some modified file like rootkit

regards