System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Password Changed on Linux Server

Mousa55
Super Advisor

Password Changed on Linux Server

Hi,

 

I have HP ProLiant BL460c G7 server with redhat enterprise Linux release 6.2 operating system. I found the root password is changed and when I login to my system from ILO I found this message

 

Last login: Mon May 21 08:18:05 2012 from 156.red-79-144-179.dynamicip.rima-tde.net

 

I want to know what is this exactly and how he can login to my system and change my password ?

 

Note: This system connected to public IP, And users can access the server not through domain.

 

Thanks

2 REPLIES
Matti_Kurkela
Honored Contributor

Re: Password Changed on Linux Server

> Last login: Mon May 21 08:18:05 2012 from 156.red-79-144-179.dynamicip.rima-tde.net

 

> I want to know what is this exactly

 

The command "whois rima-tde.net" tells me the domain belongs to a Spanish organization "TELEFONICA, S.A.". I guess this is a telecommunications company, which most likely acts as an Internet Service Provider for anyone who wants to have an Internet connection in Spain. The "dynamicip" suggests it's probably a mobile/home/small-business Internet connection.

 

This address might not belong to the actual intruder, but to some home computer user whose system has been attacked by the intruder too.

 

If you wish to report this, abuse@telefonica.net might be a good address to send the report to.

 

> how he can login to my system and change my password ?

 

Either your password was weak and he discovered it by repeatedly trying all words in a dictionary + some common combinations, or he exploited some security vulnerability in some software you have running on the system to get access, or a combination of the two (discovering a weak non-root password to log in + using a security exploit to get initial root access without knowing the root password).

 

If the intruder was not a total novice, he probably has installed a "root kit" to your system. A root kit is a set of programs that is designed to hide the activities of the intruder from the legitimate system administrator. That means you cannot any longer trust what the system tells you: the rootkit might cause the "ps" command to hide the processes started by the intruder, the "ls" command to hide the files the intruder uses for his own purposes, etc. You can be fairly certain the intruder also has set up an extra account with root access or some other way to regain access to your system even if you change the root password.

 

Without knowing exactly what tools and procedures the intruder used, it's extremely difficult to undo the actions of the intruder. The best thing you can do is to make sure all your data is backed up on an external media, and then completely wipe & re-install the OS of this server. Only restore data files from your backups: all the executables should come from trusted sources only (e.g. from the original installation media, or as cryptographically secured packages from the RedHat update servers).

MK
Fred Abell
Occasional Advisor

Re: Password Changed on Linux Server

SANS provides a free cheat sheet to help you find out if you've been hacked.

 

http://www.sans.org/score/checklists/ID_Linux.pdf

 

It's a place to start. If you have been hacked, I'd reload the system and harden it properly. Center for Internet Security (CIS) or the NSA have documents to help you harden your system. If you are running a website, then a whole new set of vulnerabilities exist.