- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: Password Changed on Linux Server
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2012 01:36 AM
05-21-2012 01:36 AM
Password Changed on Linux Server
Hi,
I have HP ProLiant BL460c G7 server with redhat enterprise Linux release 6.2 operating system. I found the root password is changed and when I login to my system from ILO I found this message
Last login: Mon May 21 08:18:05 2012 from 156.red-79-144-179.dynamicip.rima-tde.net
I want to know what is this exactly and how he can login to my system and change my password ?
Note: This system connected to public IP, And users can access the server not through domain.
Thanks
- Tags:
- Password
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2012 03:29 AM
05-21-2012 03:29 AM
Re: Password Changed on Linux Server
> Last login: Mon May 21 08:18:05 2012 from 156.red-79-144-179.dynamicip.rima-tde.net
> I want to know what is this exactly
The command "whois rima-tde.net" tells me the domain belongs to a Spanish organization "TELEFONICA, S.A.". I guess this is a telecommunications company, which most likely acts as an Internet Service Provider for anyone who wants to have an Internet connection in Spain. The "dynamicip" suggests it's probably a mobile/home/small-business Internet connection.
This address might not belong to the actual intruder, but to some home computer user whose system has been attacked by the intruder too.
If you wish to report this, abuse@telefonica.net might be a good address to send the report to.
> how he can login to my system and change my password ?
Either your password was weak and he discovered it by repeatedly trying all words in a dictionary + some common combinations, or he exploited some security vulnerability in some software you have running on the system to get access, or a combination of the two (discovering a weak non-root password to log in + using a security exploit to get initial root access without knowing the root password).
If the intruder was not a total novice, he probably has installed a "root kit" to your system. A root kit is a set of programs that is designed to hide the activities of the intruder from the legitimate system administrator. That means you cannot any longer trust what the system tells you: the rootkit might cause the "ps" command to hide the processes started by the intruder, the "ls" command to hide the files the intruder uses for his own purposes, etc. You can be fairly certain the intruder also has set up an extra account with root access or some other way to regain access to your system even if you change the root password.
Without knowing exactly what tools and procedures the intruder used, it's extremely difficult to undo the actions of the intruder. The best thing you can do is to make sure all your data is backed up on an external media, and then completely wipe & re-install the OS of this server. Only restore data files from your backups: all the executables should come from trusted sources only (e.g. from the original installation media, or as cryptographically secured packages from the RedHat update servers).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2012 06:20 AM
05-22-2012 06:20 AM
Re: Password Changed on Linux Server
SANS provides a free cheat sheet to help you find out if you've been hacked.
http://www.sans.org/score/checklists/ID_Linux.pdf
It's a place to start. If you have been hacked, I'd reload the system and harden it properly. Center for Internet Security (CIS) or the NSA have documents to help you harden your system. If you are running a website, then a whole new set of vulnerabilities exist.