Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I need your help!!!!! 5 years with Linux and for the 1st time, one of my systems (web/mail server) has been compromised. I am uusing Fedora Core 1. Someone hacked my server and changed the root password. Can some please give me a step by step as to how to get in and recover my password on my server . I am not as advanced with Linux as I should be. I really would appreciate it.. I definitley need you help ASAP
yep.. that'll do it.. and umm.. perhaps you should be running a more secure-by-default distro for your servers if you are inexperienced with security?? FreeBSD.. and THE MOST SECURE-BY-DEFAULT OS ON THE PLANET... OpenBSD.. come to mind... also.. be sure that you're using a good password... not something like "serverbox" or "chicago" or "easypassword1".. you need to use something better for an externally exposed box.. just randomly spit out letters/numbers/symbols and jumble them up.. if this box is within your house, and you trust people... go ahead and write it down and stick it to the box... that's what I do.. my web server is in my basement and i have the password written right on it... an example password (obviously not my actual one) is something like:
"Dx92yj$@Ne%"
this takes advantage of all password security recommendations...
11 or more characters?....check
Capital letters?....check
Lowercase Letters?....check
Numbers?....check
Special Characters?....check
That would take years to break using any standard password checking tools... I also recommend, if you are going to stick with FC(or anything you use) that one you get it working the way you like.. that you use nmap and scan your box your box for any open ports.. then you'll know what your vulnerabilities are, and what you can/need to shutdown...
Thanks for the information masand, also thanks halo14 for the reprimand. I do deserve it. I am almost successfull. I get the the part where i type in passwd root and hit enter, but it gives me back message saying :
changing password for user root.
passwd: unable to set failure delay.
then it goes right back to the prompt. I get no time or chance to put in a new password. That those two lines are instantaneous. I have tried over and over again.
Please help me if you know what I am missing in order finish the task..
@rockfort:
If someone has compromised your machine and gotten root, you need to take the box offline and do a full format and re-install. Simply changing roots password doesn't fix the problem of how they got access to the system in the first place or what they may have done since then. With root access installing rootkits, trojaned binaries, or putting backdoors on the system are entirely possible. At the very least you need to verify that none of the files on the system have been modified and use a tool like chkrootkit or rootkit hunter to look for evidence of a rootkit. I'd still highly recommend that you blow it away and reinstall. Regardless of what OS you choose, you should devote some time to securing it.
Last edited by Capt_Caveman; 01-25-2005 at 08:22 PM.
Originally posted by Capt_Caveman @rockfort:
If someone has compromised your machine and gotten root, you need to take the box offline and do a full format and re-install. Simply changing roots password doesn't fix the problem of how they got access to the system in the first place or what they may have done since then. With root access installing rootkits, trojaned binaries, or putting backdoors on the system are entirely possible. At the very least you need to verify that none of the files on the system have been modified and use a tool like chkrootkit or rootkit hunter to look for evidence of a rootkit. I'd still highly recommend that you blow it away and reinstall. Regardless of what OS you choose, you should devote some time to securing it.
there are wise words!!!!
before formatiing ur sytem if u intend to take some backup then u should ve carefull and do not take something which might have been modified
also to secure ur sysetm u should run some monitoring system such as "tripwire"
Thank you all for advice, all is well taken, I will get Trip wire and Nmap to assistme with future and further scantification of my system(s). What I need now more that ever is to finish getting back into the system. Is it at all possible I do belive so. I reached the level where I can actually try to change the passwd using the instructions from Masand, but i get the following messages when I try;
changing password for user root.
passwd: unable to set failure delay.
I sincereley believe that the culprit(s) have planted something deadly on the system, for once the system is up, the hard disk light just glows from the activity. I will blow away the system but there is mail on there that I need to backup (squirrelmail). So any help with getting back in as root would be very musch appreciated.
This is quite a late reply..... but just another way of recovering your machine's data would be to take the concerned hard disk and install it in another machine as a slave. Mount it and copy all the data out. Then reformat after putting it back in the original machine....
This is quite a late reply..... but just another way of recovering your machine's data would be to take the concerned hard disk and install it in another machine as a slave. Mount it and copy all the data out. Then reformat after putting it back in the original machine....
Regards
Subhasis Ray
the main problem here is that he is not able to login as root to take his backup
He can surely get another working machine, and atach this affected HDD to it. Then boot it up and mount the partition...... This is what I am trying to say....
He can surely get another working machine, and atach this affected HDD to it. Then boot it up and mount the partition...... This is what I am trying to say....
-Subhasis
in that case the problem will be he might not end up copying some modified file like rootkit
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.