Help - Search - Members - Calendar
Full Version: Help! I Was Hacked
Linuxhelp > Support > Technical Support
tl511
I hate to admit this, but I was hacked. Today I ssh'd to my box and no root user was there. Actually, there is an entry in /etc/passwd for root and /etc/shadow, but I cannot su as root nor is there any root icon at login screen (SuSE 8.0).

Cany anyone help? I tried passwd recovery many ways but nothing seems to change it when I normal boot. I can get on the system as the other users, but not as root. What can I do? I closed all the ports on my firewall until I figure out how I was hacked. I did notice in my log that just recently this showed up (as in today) inetd getpwnam: root: No such user.

I tried removing the text between the first two colons after root in /etc/shadow but it did not seem to help. Any ideas how I can get back in as root?

Thanks for the help,
hughesjr
Yes ... I can probably get you back in as root ...

BUT then you should check for a rootkit install....

If a rootkit has been installed, it modifies executable files (like ps, netstat, top, iptables, etc.) to mask activity and not show certian processes. Basically, you can't trust any executeable on the system if a rootkit has been installed.

If any rootkit has been installed, then you should copy all important data off the machine then erase everything (including all the partitions) and reinstall. Make sure to use the fdisk from your CDROM and not the the fdisk already on the hard drive when you repartition or you may have an invisable partition still there...

Here is a good article with some programs to do rootkit detection.
-------------------------------------------------------
How to get back on the system as root {... maybe smile.gif }

(I am doing this on a SuSE 9.0 system vice 8.0 ... so the steps might be a little different)

Both these solutions require physical access to the machine...

1. Boot to single user mode by typing the number 1 in the boot options block. You maybe asked for the root password (if so, this won't work for you). Some versions of SUSE don't ask for the root password.

2. Boot with the SuSE install CD (cd-1)...select Rescue Mode. This ask for a username (root) but no password ...

Once at the prompt from either method, type passwd root to try and set the root password...

passwd for root may not work if there is a rootkit installed ... and even if it works, there may still be a rootkit installed.

Reboot and login as root ... download and install chkrootkit per the instructions on the site. There is also lots of good info at the chkrootkit site.
hughesjr
Here is another great article on checking for rootkits (page 2 is especially good ... it tells you how to scan your system).
hughesjr
In our news section look at the Debian.org rootkit issues that happened 11/19 and 11/20:

http://www.linuxhelp.ca/forums/index.php?a...t=ST&f=6&t=2056
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.