I was working from my server performing certain task in suse 8.0 and all of the sudden my root password doesn't work anymore and my internet connection has slowed down as well as my router lights are blinking non stop as if I am being attacked.

This has happened to me in the past and I had to reinstall. Now I want to find out once and for all what is going on and how can I fix this and prevent this from happening again.


Thanks in advance

Well, if you're not doing any network traffic, do a tcpdump -i eth0 ( assuming that's your outbound net connection ). That will tell you what's going on and where.

Another thing to do is to go get chkrootkit ( http://www.chkrootkit.org/ ) and check that out too.

The root password. If it's been changed you'll have to boot off of an install CD, mount the / partiton and edit your passwd file directly. From there change the hash of the password and reboot. However, that probably won't stop whoever it is from coming back in again, so in order to maintain some type of root privelege, make sure you have sudo installed.

From there it's all a matter of checking all of your files to see what's been chagned/added. Usually you'll find directories with a . prefix, so a regular ls -l won't show it. Likewise, you may also see directories labeled ".. " that's two periods and a space, you may just glance right over that and not see it for what it is.

It's a good bet that the majority of your log files have been changed already, however, if you wanted to play the waiting game, you could always upgrade your syslog functioning so that everything is recorded and then push those logs somewhere else, or use virtual terms to tail -f the log files, etc...but that's not a guarntee.

Anyway, hopef I gave you a good starting point for some of the things you've asked.

the tcpdump says that it is a bad command, if i have to be logged in as root to run, i can't log in as root. out in the / directory there is a folder there labeled .qt and there is also one of the same name in the temp folder. is that normal.

Let me ask another question. Is this situation a normal situation or is it just me going through this.

*shrug* totally depends, qt could be quite normal, it's the name of a package on my linux box. Yeah, I forgot that you have to be root in order to do it, in which case, see the part about changing the root password back to something you know. Install sudo, that way even if root passwd is changed you might be able to execute commands as root while still being your regular user.