Root password changing repeatedly
 

I have an odd problem with a VPS I have at digitalocean. The root password keeps changing and forcing me to reset via digitaloceans control panel.

Im not sure exactly what time/date it changes, only when I get a message from WHM saying it cannot access the DNSOnly server anymore as the password was invalid.

The VPS is running Centos 5.10 and has WHM DNSOnly installed. I emailed Digital Oceans support and got this response:

I do not see anything in the SSH logs or anything in messages to indicate what is changing it. The last command only shows my connections via tty or SSH (invariably due to me having to force a reset and logon to change the password)

I thought I could use auditd to monitor passwd, but changing a password doesn't modify this file.

Does anyone have any suggestions on what to look for?

I ran this search against /var/log/secure, but can only see my manual password changes. Between those dates, something is stopping root from being able to login via console/ssh - I think this shows that the password itself is not changing and something else is stopping roots access.

Root passwords don't just change. There is no sort of maybe kind of if on this.

It is bad.

Time to reload current OS from scratch, get all software updates. Use as many best practices as you can to avoid this in the future.

All your data is suspect now. Backup could be an issue.

Its a brand new vps, fresh install of Centos and then DNSOnly installed on top. No other config or data on it. As per my 2nd post, given secure log doesn't mention a password change outside of me resetting it, so it must be something other than a password change...

Next time it happens I'll give it a reboot to see if its a crashed service or some such.

What is "ns3"?

If the root-password on a box is changing without you knowing it, why do you trust any of "the logs?"

Compromised computers are like enemy soldiers. You don't try to compromise with them. You don't look at pictures of their grandkids. You shoot 'em.

Part of the problem might lie in the fact that he's using CentOS 5. Although still technically supported, I wouldn't use it at all. As with Debian 6, they may be exploiting shellshock, and then just covering their tracks. Bottom line: reinstall with a newer distro.

Name of the server

I made the assumption that the password is changing - however I am not sure of that. All I know is that one day I can login, the next day I cannot. Performing a password reset via the digitalocean control corrects it (it powers off the server and modifies it with some external process/script). I was going to wait till it happened again to see if just a reboot fixed it.


I would use a later OS, except of daft limitations WHMs DNSOnly app. There are apparently workarounds to get it to install on later versions, but then WHM/Cpanel won't support it.

I've deleted the VPS and will start from scratch again.

Please do not advise fellow LQ members to do that without proper investigation.


Pure, uncut male cow manure. CentOS 5 is not "technically" supported: it is officially supported, meaning it gets the security fixes it needs: http://wiki.centos.org/Security/Shellshock. If you don't know your stuff then feel free to keep yourself from posting.


That is a shame as it would have been my pleasure to help you investigate. *Please note that while you are free to follow any advice given, and you are the only one responsible for gauging the quality of said advice, on LQ there really are about five people I trust to perform incident handling the way I want to see it done.