PDA

View Full Version : Root paswword changing it self



mzainal
19th July 2006, 08:17 AM
Im using Core 5. My probelm is my root password change it self. When i reset and off pc, i must use older password. Is possible any service change the root password? :mad:

pparks1
19th July 2006, 03:02 PM
I've never heard of this. Any chance that you box was hacked or rootkit'd?

HaydnH
19th July 2006, 06:44 PM
You could remove root's write permission to the shadow files as a temporary solution, but you need to find out what is doing this, check out the rc files for anything that moves, copies or writes to /etc/shadow or /etc/passwd using:

grep -Hnrs 'shadow\(passwd\)\?' /etc/rc.d/*

Line 15 of the *saslauthd files are ok, anything else needs looking at. If that doesn't show anything unusual try other paths like root's home directory etc... or if you've got time just do that command on / - although you may want to redirect the output to a file as there may be a lot of files containing either shadow or passwd.

However, if you continue to find wierd things happening I would suggest a full reinstall - it's the only real way to fix a compromised machine... just make sure you're changing the passwd correctly and it's not a human error thing.

Haydn.

mjnunneley
12th November 2006, 05:33 AM
Im using Core 5. My probelm is my root password change it self. When i reset and off pc, i must use older password. Is possible any service change the root password? :mad:
I too have the problem of my samba password is reset everytime I reboot my FC5 (or FC6). Has anyone found a solution?

Michael

JoeyJoJoe
12th November 2006, 04:49 PM
I'm going to have to agree with some other people's comments here, especially pparks, that this might be a hack/rootkit... I've not heard anything of this before.

What it might be an idea to go is log in a super user (root) and look at /var/log/secure after changing the password and try and figure out what is going on... it should actually have older entries so it might even be more useful. To say that in a way which isn't rambling;

1) change root password
2) go to terminal, type;

su -
new root password
gedit /var/log/secure

3) look through that log and see what is going on when the password is changed, then have a look to see any times when this happened without you telling it to and who was doing it and from where

As a side note have you ever turned off remote root login from ssh? I find this causes a lot of problems... I with that it would come switched off to tell you the truth, if you want it you'll know how to get it to work