server hacked and root PW changed

Support for security such as Firewalls and securing linux
Post Reply
BruceAtMaxup
Posts: 4
Joined: 2006/06/13 22:49:09

server hacked and root PW changed

Post by BruceAtMaxup » 2006/06/23 19:14:52

Someone hacked into my CentOS server and changed the root PW. Is there a way to recover or change the password? Alternatively, is there a way to create a bootable floppy and mount a filesystem?

ixeous
Posts: 113
Joined: 2005/07/07 13:01:59

server hacked and root PW changed

Post by ixeous » 2006/06/23 20:10:10

Boot into single user mode. You can do that by modifying the grub boot option on startup.

1. Press 'e' to edit startup
2. Use the arrow keys to highlight the kernel line and pres 'e' to edit the parameters
3. At the end of the line, add the word 'single' (without the ') and press Enter
4. Press 'b' to boot the system

You will be dropped directly into a bash shell as root adn can change the password. You can also access your file system from there. You will not have any network access while in single user mode though so you can't copy data to another machine if that's what you wanted to do.

BTW - if it's been hacked, the best thing is just to rebuild the machine.

chattr
Posts: 76
Joined: 2006/01/27 09:54:28

Re: server hacked and root PW changed

Post by chattr » 2006/07/06 15:24:39

Did this server have all updated packages applied to it ?

Agreed, if your server has been hacked your best bet is to rebuild from bare metal and restore user data from a *known* good backup. You may also want to do a backup before you can do this so you can peform some forensics on it to see how it was hacked.

If you can't do this, then try running chkrootkit to search for any trojan binaries.

garskoci
Posts: 93
Joined: 2006/07/08 14:50:57
Location: Houston, TX

Re: server hacked and root PW changed

Post by garskoci » 2006/07/17 18:21:50

Any idea how they broke in? Did they have physical access to the box? Is Grub password protected??? If Grub isn't password protected and people have physical access to the box, you're wide open!

Post Reply

Return to “CentOS 4 - Security Support”