HPE Community
Operating System - HP-UX
1829737 Members
1729 Online
109992 Solutions
New Discussion

How to check when root password was changed and by whom?

 
Somnath Chatterjee
Occasional Advisor

‎02-21-2007 11:10 PM

‎02-21-2007 11:10 PM

How to check when root password was changed and by whom?

Hi,
I am new to this forum and very new to HPUX.
I have a problem. Someone ( I dont know who ) has changed the root password for one hp9000 box and we are unable to su in. Although rlogin option is there, but that is not preferred. So is there any way to find out when this root password was changed and by whom ?
0 Kudos
Reply
3 REPLIES 3
Peter Godron
Honored Contributor

‎02-21-2007 11:30 PM

‎02-21-2007 11:30 PM

Re: How to check when root password was changed and by whom?

Hi,
and welcome to the forums !

Please see:
"How to find the last password change date in HP"
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=151113

If the password was changed via su check the /var/adm/sulog.

Best to change the root password again and not let anybody know the new password. Also, at least, check the users logged on over the next few days.

Please also read:
http://forums1.itrc.hp.com/service/forums/helptips.do?#33 on how to reward any useful answers given to your questions.

0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎02-22-2007 01:19 AM

‎02-22-2007 01:19 AM

Re: How to check when root password was changed and by whom?

You can see when it was changed by:

# /usr/lbin/getprpw -m spwchg root

This will show the date and time it was changed. However, unless you can track who was logged in as root at that time, or possibly who has sudo root access, then it will be quite difficult to determine who changed it.

Now, the problem in your situation is that you must have root access to do the above. If you can't su to root, then you could have a problem. If you can rlogin from another system as root (very insecure by the way) then you should be OK.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎02-22-2007 01:42 AM

‎02-22-2007 01:42 AM

Re: How to check when root password was changed and by whom?

The root password can only be changed by the root user. ANYONE who knows the root password can become root. The record of who did this requires several layers of inspection. First, you need to narrow the possible timeframe for the change. Did it occur in a 4 hour window or 2 days, or... Then, you look at the output from the last command to see all root logins:

last -R -100 root

This shows the last 100 successful root logins including date and time and the first 15 characters of the hostname performing the login. Look at the time logins during the suspect time range.

If rlogin is allowed and configured for root, there is not much you can do except to assume your machine has been hacked. rlogin, rexec and remsh (rsh from other boxes) are terrible security risks and should be disabled on all machines.

Once you regain control of your machine, you change the root password and do NOT tell anyone else what it is. You then install sudo and add only very few users to the sudoers file. And do not give those users every command, especially not a shell or the (ALL) capability.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.