Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all. Currently on my site i have Red HAt Enterprise 3 working as a Samba Server & Red Hat 7.3 working as a firewall/proxy server. My problem is as follows. Every couple of days, the root password on my Red HAt 7.3 changes & i have to reboot in Single user mode & reset the password. Can anybody explain or give me a solution to why this happening as I am worried that a system attack / failure is occuring. Many thanks in advance of your replies.
Weird. We're running RHEL AS 3 and haven't seen this.
Do you have any other sysadmins that have the root password?
When you reset the password are you picking a new one or using the one you had before? I'd suggest a new one just to make sure it is not someone who has the old one that keeps changing it.
Do a find for root owned files that have the suid bit turned on. Any such file is executed as root no matter so if it is compromised (say it is is a script to which someone added "su -") it will be done as root. "find / -perm 4755" for example would find all files that had rwsr-x-r-x permissions - the "s" tells you the suid bit is turned on. Because it has execute by ANY users (the final r-x) it means any user can run it as root. I run the find for each of 4777, 4775, 4755 etc... - basically for any mode in which anyone other than the user (root) would be able to write the file (so no reason to search for 4744 because though it is readable by everyone else only root could write to it.)
Also do you use sudo? I've seen poorlly done sudo implementations where they would add permission to use vi in sudo. Since it is run as root by sudo any shell escape (you can do :!/bin/bash fom within vi to go to shell) would automatically put the user at a root prompt. Verify you don't have any utilities that allow such shell escapes defined in sudo. Also verify that any scripts that you allow to run in sudo are ONLY writable by root because as with the suid files a user could compromise it by modifying the script to do something like "su -".
Just to add to that, look at roots bash_history file for any odd activity and take a close look at the output of the "last" command for any logins that look abnormal. It's probably a good idea to run rkhunter or chkrootkit on the system and verify the integrity of binaries with rpm -Va . You should also look around the filesystem for any abnormal files/dirs, especially in places like /tmp.
If the system in question is running RH 7.3, how have you been keeping it updated with securty patches?
Last edited by Capt_Caveman; 10-13-2005 at 03:21 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.