Root password changing repeatedly
I have an odd problem with a VPS I have at digitalocean. The root password keeps changing and forcing me to reset via digitaloceans control panel.
Im not sure exactly what time/date it changes, only when I get a message from WHM saying it cannot access the DNSOnly server anymore as the password was invalid. The VPS is running Centos 5.10 and has WHM DNSOnly installed. I emailed Digital Oceans support and got this response: Quote:
I thought I could use auditd to monitor passwd, but changing a password doesn't modify this file. Does anyone have any suggestions on what to look for? |
I ran this search against /var/log/secure, but can only see my manual password changes. Between those dates, something is stopping root from being able to login via console/ssh - I think this shows that the password itself is not changing and something else is stopping roots access.
Code:
root@ns3 [/var/log]# find . -name "secure*" -exec grep -Hn "password changed" {} \; |
Root passwords don't just change. There is no sort of maybe kind of if on this.
It is bad. Time to reload current OS from scratch, get all software updates. Use as many best practices as you can to avoid this in the future. All your data is suspect now. Backup could be an issue. |
Its a brand new vps, fresh install of Centos and then DNSOnly installed on top. No other config or data on it. As per my 2nd post, given secure log doesn't mention a password change outside of me resetting it, so it must be something other than a password change...
Next time it happens I'll give it a reboot to see if its a crashed service or some such. |
What is "ns3"?
|
If the root-password on a box is changing without you knowing it, why do you trust any of "the logs?"
Compromised computers are like enemy soldiers. You don't try to compromise with them. You don't look at pictures of their grandkids. You shoot 'em. |
|
Quote:
Quote:
Quote:
I would use a later OS, except of daft limitations WHMs DNSOnly app. There are apparently workarounds to get it to install on later versions, but then WHM/Cpanel won't support it. I've deleted the VPS and will start from scratch again. |
Quote:
Quote:
Quote:
|
All times are GMT -5. The time now is 03:20 PM. |