Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 10-13-2005, 10:32 AM   #1
LQ Newbie
Registered: May 2004
Posts: 3

Rep: Reputation: 0
Root Password Keeps Changing

Hi all. Currently on my site i have Red HAt Enterprise 3 working as a Samba Server & Red Hat 7.3 working as a firewall/proxy server. My problem is as follows. Every couple of days, the root password on my Red HAt 7.3 changes & i have to reboot in Single user mode & reset the password. Can anybody explain or give me a solution to why this happening as I am worried that a system attack / failure is occuring. Many thanks in advance of your replies.
Old 10-13-2005, 11:06 AM   #2
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,942
Blog Entries: 14

Rep: Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160Reputation: 1160
Weird. We're running RHEL AS 3 and haven't seen this.

Do you have any other sysadmins that have the root password?

When you reset the password are you picking a new one or using the one you had before? I'd suggest a new one just to make sure it is not someone who has the old one that keeps changing it.

Do a find for root owned files that have the suid bit turned on. Any such file is executed as root no matter so if it is compromised (say it is is a script to which someone added "su -") it will be done as root. "find / -perm 4755" for example would find all files that had rwsr-x-r-x permissions - the "s" tells you the suid bit is turned on. Because it has execute by ANY users (the final r-x) it means any user can run it as root. I run the find for each of 4777, 4775, 4755 etc... - basically for any mode in which anyone other than the user (root) would be able to write the file (so no reason to search for 4744 because though it is readable by everyone else only root could write to it.)

Also do you use sudo? I've seen poorlly done sudo implementations where they would add permission to use vi in sudo. Since it is run as root by sudo any shell escape (you can do :!/bin/bash fom within vi to go to shell) would automatically put the user at a root prompt. Verify you don't have any utilities that allow such shell escapes defined in sudo. Also verify that any scripts that you allow to run in sudo are ONLY writable by root because as with the suid files a user could compromise it by modifying the script to do something like "su -".
Old 10-13-2005, 11:23 AM   #3
LQ Newbie
Registered: May 2004
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks, will try your suggestions. I will let you know how i get on.
Old 10-13-2005, 03:17 PM   #4
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Just to add to that, look at roots bash_history file for any odd activity and take a close look at the output of the "last" command for any logins that look abnormal. It's probably a good idea to run rkhunter or chkrootkit on the system and verify the integrity of binaries with rpm -Va . You should also look around the filesystem for any abnormal files/dirs, especially in places like /tmp.

If the system in question is running RH 7.3, how have you been keeping it updated with securty patches?

Last edited by Capt_Caveman; 10-13-2005 at 03:21 PM.
Old 10-14-2005, 04:51 PM   #5
Registered: Apr 2005
Location: perugia
Distribution: ubuntu
Posts: 181

Rep: Reputation: 31
I think I've figured it out


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
changing root password Bombo Linux - Newbie 2 04-10-2005 10:42 PM
changing root password minm Linux - Newbie 9 08-31-2004 03:03 AM
Changing the root password divsky Linux - Newbie 4 04-03-2004 10:02 PM
Changing root password Gibby Mandriva 1 10-02-2003 10:38 PM
changing root password jamaso Linux - Newbie 1 12-25-2001 10:38 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:40 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration