HPE Community
Operating System - Linux
1752511 Members
5199 Online
108788 Solutions
New Discussion

Password Changed on Linux Server

 
Mousa55
Super Advisor

‎05-21-2012 01:36 AM

‎05-21-2012 01:36 AM

Password Changed on Linux Server

Hi,

 

I have HP ProLiant BL460c G7 server with redhat enterprise Linux release 6.2 operating system. I found the root password is changed and when I login to my system from ILO I found this message

 

Last login: Mon May 21 08:18:05 2012 from 156.red-79-144-179.dynamicip.rima-tde.net

 

I want to know what is this exactly and how he can login to my system and change my password ?

 

Note: This system connected to public IP, And users can access the server not through domain.

 

Thanks

0 Kudos
Reply
2 REPLIES 2
Matti_Kurkela
Honored Contributor

‎05-21-2012 03:29 AM

‎05-21-2012 03:29 AM

Re: Password Changed on Linux Server

> Last login: Mon May 21 08:18:05 2012 from 156.red-79-144-179.dynamicip.rima-tde.net

 

> I want to know what is this exactly

 

The command "whois rima-tde.net" tells me the domain belongs to a Spanish organization "TELEFONICA, S.A.". I guess this is a telecommunications company, which most likely acts as an Internet Service Provider for anyone who wants to have an Internet connection in Spain. The "dynamicip" suggests it's probably a mobile/home/small-business Internet connection.

 

This address might not belong to the actual intruder, but to some home computer user whose system has been attacked by the intruder too.

 

If you wish to report this, abuse@telefonica.net might be a good address to send the report to.

 

> how he can login to my system and change my password ?

 

Either your password was weak and he discovered it by repeatedly trying all words in a dictionary + some common combinations, or he exploited some security vulnerability in some software you have running on the system to get access, or a combination of the two (discovering a weak non-root password to log in + using a security exploit to get initial root access without knowing the root password).

 

If the intruder was not a total novice, he probably has installed a "root kit" to your system. A root kit is a set of programs that is designed to hide the activities of the intruder from the legitimate system administrator. That means you cannot any longer trust what the system tells you: the rootkit might cause the "ps" command to hide the processes started by the intruder, the "ls" command to hide the files the intruder uses for his own purposes, etc. You can be fairly certain the intruder also has set up an extra account with root access or some other way to regain access to your system even if you change the root password.

 

Without knowing exactly what tools and procedures the intruder used, it's extremely difficult to undo the actions of the intruder. The best thing you can do is to make sure all your data is backed up on an external media, and then completely wipe & re-install the OS of this server. Only restore data files from your backups: all the executables should come from trusted sources only (e.g. from the original installation media, or as cryptographically secured packages from the RedHat update servers).

MK
0 Kudos
Reply
Fred Abell
Occasional Advisor

‎05-22-2012 06:20 AM

‎05-22-2012 06:20 AM

Re: Password Changed on Linux Server

SANS provides a free cheat sheet to help you find out if you've been hacked.

 

http://www.sans.org/score/checklists/ID_Linux.pdf

 

It's a place to start. If you have been hacked, I'd reload the system and harden it properly. Center for Internet Security (CIS) or the NSA have documents to help you harden your system. If you are running a website, then a whole new set of vulnerabilities exist.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.