System Administration

Password Changed on Linux Server

Super Advisor

Password Changed on Linux Server



I have HP ProLiant BL460c G7 server with redhat enterprise Linux release 6.2 operating system. I found the root password is changed and when I login to my system from ILO I found this message


Last login: Mon May 21 08:18:05 2012 from


I want to know what is this exactly and how he can login to my system and change my password ?


Note: This system connected to public IP, And users can access the server not through domain.



Honored Contributor

Re: Password Changed on Linux Server

> Last login: Mon May 21 08:18:05 2012 from


> I want to know what is this exactly


The command "whois" tells me the domain belongs to a Spanish organization "TELEFONICA, S.A.". I guess this is a telecommunications company, which most likely acts as an Internet Service Provider for anyone who wants to have an Internet connection in Spain. The "dynamicip" suggests it's probably a mobile/home/small-business Internet connection.


This address might not belong to the actual intruder, but to some home computer user whose system has been attacked by the intruder too.


If you wish to report this, might be a good address to send the report to.


> how he can login to my system and change my password ?


Either your password was weak and he discovered it by repeatedly trying all words in a dictionary + some common combinations, or he exploited some security vulnerability in some software you have running on the system to get access, or a combination of the two (discovering a weak non-root password to log in + using a security exploit to get initial root access without knowing the root password).


If the intruder was not a total novice, he probably has installed a "root kit" to your system. A root kit is a set of programs that is designed to hide the activities of the intruder from the legitimate system administrator. That means you cannot any longer trust what the system tells you: the rootkit might cause the "ps" command to hide the processes started by the intruder, the "ls" command to hide the files the intruder uses for his own purposes, etc. You can be fairly certain the intruder also has set up an extra account with root access or some other way to regain access to your system even if you change the root password.


Without knowing exactly what tools and procedures the intruder used, it's extremely difficult to undo the actions of the intruder. The best thing you can do is to make sure all your data is backed up on an external media, and then completely wipe & re-install the OS of this server. Only restore data files from your backups: all the executables should come from trusted sources only (e.g. from the original installation media, or as cryptographically secured packages from the RedHat update servers).

Fred Abell
Occasional Advisor

Re: Password Changed on Linux Server

SANS provides a free cheat sheet to help you find out if you've been hacked.


It's a place to start. If you have been hacked, I'd reload the system and harden it properly. Center for Internet Security (CIS) or the NSA have documents to help you harden your system. If you are running a website, then a whole new set of vulnerabilities exist.