Re: What if someone breaks into the root account and changes the root password?

From: Bogwitch <Bogwitch@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 16 Aug 2007 21:34:58 GMT

Arrav wrote:

You call that advice?

Well, usually, if you have physical access to a computer, you can get root
easily (sometimes its a boot option in the bootloader), depends on the OS.
In Linux, you can just load safe mode, and you will get root without need
to type password.
Another way, is to boot up knoppix or some other boot cd, edit the
/etc/shadow file (or /etc/passwd on old systems) and change the root hash
with a know hash, just go to some website that offers md5 encryption,
encrypt your password, and replace the hashes. Then restart, take the live
cd disk out, and login with your new pass.
yet another way, is to search for some root exploit, that will grant you
the root account if your system is vulnerable. Check www.milw0rm.org and
SecurityFocus and PacketStorm for those. You can (hopefully) run the
exploit as a non-root user. When you are root, change the password
regularly. And final way - reinstall the OS ;-)

I think you'll find that the initial advice from Unruh would be better than the subsequent advice from Arrav. Yeah, sure, getting the root password reset would be a doddle. The problem comes from the fact that if the root password has been compromised, there is a very strong possibility that the intruder would have installed a rootkit, backdoor or other trojaned software. The only way to ensure you have a clean system would be to perform a clean install, restore from known good backups or to compare checksums of known good files to all the system files on the compromised system, check configuration files and any source code held on the system.

The chances are that a fresh install from known good media would be the easiest/ safest way to go forward.

You might want to take an image of the compromised system for a little investigation and analysis if it takes your fancy!

HTH,

Bogwitch.
.

References:
- Re: What if someone breaks into the root account and changes the root password?
  - From: Arrav

Prev by Date: Re: What if someone breaks into the root account and changes the root password?
Next by Date: Re: What if someone breaks into the root account and changes the root password?
Previous by thread: Re: What if someone breaks into the root account and changes the root password?
Next by thread: Re: What if someone breaks into the root account and changes the root password?
Index(es):
- Date
- Thread

Relevant Pages

RE: Boot/login problems after installation
... >From Gnome desktop, I was able to logout user, login root, over and over. ... After another minimal install, I was able to add my user and su to it and su ... I was unable to boot using the boot floppy. ...
(Fedora)
Re: 5.x separate /boot slice?
... This brings up some issues related to the boot loader touched on here ... updated root partition for upgrade or development flexibility. ... >(backup) if something goes wrong. ... heavily upgraded during one's install method. ...
(freebsd-questions)
RE: Boot/login problems after installation
... After another minimal install, I was able to add my user and su to it and su ... I was unable to boot using the boot floppy. ... I did a minimal install and was able to login as root, ... >love to know what triggers recovery to run. ...
(Fedora)
Re: [opensuse] / as a LV
... but then when I boot into rescue mode it mounts just fine ... ... This is just to ensure that right lvm2 modules are included in the initial ram disk, plus the linuxrc has the required vgchange commands to activate the root lvm. ... and then re-run grub install to install into the MBR of /dev/cciss/c0d0. ...
(SuSE)
Re: Lost /home partition
... This is a Dell Inspiron machine, ... Fedora 7 when the machine crashed- I didn't get to the real install ... I gave it the root paassword (yes, I had previously set a root ... I could boot the system. ...
(Debian-User)