Root password changing by itself

Tue May 20 15:24:43 UTC 2008

On Mon, May 19, 2008 at 11:12 PM, Tim <ignored_mailbox at yahoo.com.au> wrote:
> Vijay Krishnan:
>>      I have Fedora 5 and 6 installed on my machines. I strangely find
>> that I am often unable to login to the machine with my regular
>> password using ssh. Fortunately I have physical access to the machine,
>> which allows me to change the password back.
>
> Are you changing it back, or just setting the same password again?  The
> first would indicate someone's changing it on you.  The latter a fault
> (you're presuming it's changed, because you couldn't log in, but
> something else might be preventing the log in).
>
> If you keep changing it back to a password that a hacker has already
> worked out, then you're not doing anything to protect yourself.  Set a
> new password, a damn good one.
>
> If you've been hacked, the simplest resolution is a fresh install, being
> very careful about what you put back on the new system from your old
> installation.  Don't re-install a trojan.
>
> Otherwise, if you're going to try and keep on using your existing
> installation, you're going to need to check, very thoroughly, for a
> trojan.  Which may well be a "rootkit" (one designed to give root access
> to a box, and to be quite well hidden from discovery).
>
> Afterwards, install something like the fail2ban package.  Then, someone
> trying to ssh in to your machine only gets a limited number of attempts
> before their IP is locked out.  That makes it much harder for a hacker
> to keep on trying to break it, the only way around for them to keep on
> attempting is to come at you from numerous different IPs.
>
> Where do you need to be able to ssh into the machine from?  If it's just
> within your LAN, then firewall the ssh port off from the internet.  If
> you do need to access it from the net, then still firewall it off, but
> open through some holes from the locations you need to access it from.
> That'll limit hacking possibilities, too.
>
>
Wireshark can be useful here to, you might leave it running on a
separate machine  plugged into the same switch, make sure the switch
doesn't have vlans setup or you won't be able to capture all the
traffic in promiscuous mode or you could tap the wire feeding the
switch if you can't reconfigure the switch or run the net connection
through another machine that feeds the box in question so you can
watch the traffic. There are many ways to skin this cat. Of course it
helps if you have monitored the traffic on your lan before , otherwise
you'll be using whois alot or dig or nslookup . Pen testing is a whole
subject by itself and there are distros out there dedicated to just
that, many of the tools and methods for pentesting can be used to get
information on an attacker, here the reconaissance techniques are
useful but all this presupposes you've been hacked, which really
hasn't been established yet but you know what they say "Just because
your paranoid doesn't mean they are not out to get you." By the way
configuring the filters on wireshark can be a bit of pain , especially
if your long on ideas but short on experience like me, but properly
setup filters, i learned by trial and error and google, can make life
much easier. Filtering things like STP out can make the output much
easier to read, filtering out known good traffic will only leave the
unknown. That's much easier than trying to sift through all the
traffic produced on a typical lan, you'd be surprised by how much
there is, depending on the size of the lan.


Max