the root password has been changed

Lem0nHead · Jun 1, 2010

hello
today I had a problem with a server which was rebooted
after that I couldn't login with the root password (although other users are fine)

I don't know if it was changed by the datacenter or if it's some attack
I regain control and checked logs, the running kernel, some root kit detectors... everything seems fine

but I couldn't find out what changed the root password

any hints on how can I do that? even after I manually changed my root password, I couldn't find any entry on /var/log/messages or auth

thanks

pprocacci · Jun 2, 2010

The system won't change it's root (or any users') password by itself.

If you can confirm that the Datacenter (or other staff) members did not change the root password then I would suspect the worst and go from there regardless of what tools are telling you. This is a good general rule of thumb to follow anyway.

The act of changing a password isn't recorded anywhere. The act of logging into a machine is however. Remote exploits via a running service aren't recorded other than general access logs. (All the more reason to use jails).

Check your logins and access logs and ask those people you can about their logins. Still not satisfied.....rebuild.

Alt · Jun 2, 2010

To change password, user must at least login =) So check logs for login/logout entries, check output of `last` command for suspicious logins.

Also, it may be sshd's root login forbiding. Try to connect as another user and `su` to root (user must be in group wheel).

Lem0nHead · Jun 2, 2010

Alt said:
To change password, user must at least login =)

not necessarily
if you elevate your priviledges to root (exploiting a program which runs as root, for instance), you could edit master.passwd directly

if there was some kind of hacking, I guess that's how it was done, because I really couldn't find anything else

sixtydoses · Jun 2, 2010

Any users allowed to run $ sudo passwd root?

Lem0nHead · Jun 2, 2010

no
and just one user is allowed to su to root (not sudo, he needs root's password)

phoenix · Jun 2, 2010

If that user logged in, ran "su", and then ran "passwd", there would be no record of it in any log files. It would be listed in the "history" output for root's shell, though (unless using a shell that doesn't support history, like /bin/sh).

mix_room · Jun 3, 2010

Can you su to root? Or can you not gain root access at all? Have you been trying to log on as root via ssh?

I my experience not being able to login has one main reason: user misremembers or mistyped their password.

pprocacci · Jun 3, 2010

I must shamefully admit I thought a couple of times my root account was hacked when I neglected to check my numlock key!

Happens to the best of us I guess.