Random Change of Password?

[Nefarious]

I have a box running Xebian and I can no longer SSH into it.

It would seem that the password has changed and yet I didn't change it... what am I to do?

The last thing that I remember doing that may have had an impact was some file modifications and changing root's home folder but that shouldn't have done this.

I have NAT on my router so doubt someone could have hacked it, any ideas?

 

[BillytheImpaler]

You can boot it at a lower runlevel to give you root access with no questions asked if you have physical access. I've no idea how it got changed. Shouldn't they all be in /usr/passwd? Moving root's home directory shouldn't break that.

Are all your accounts hosed, or is it just root?

 

[Nefarious]

Due to what I used it for - there was only root (at least if I did set up other accounts I've forgotten about them by now)

I thought I wasn't able to reset the password at lower run levels? AFAIK I thought the only way to recover from this was to remove the main drive, rewrite the security descriptors for the drive and delete the root password - other ideas?

 

[FirebarUK]

Don't think it differs with Debian based distributions, but typically (as Billy says) you can boot into a lower runlevel as root without a prompt for password, then just change it. As he notes, you need to have physical access to the machine for this.

 

[cb_linus]

Don't know if this is at all applicable in this case, but you could try typing your password (or all the letters from it) into the username bit of the login (then delete!!) just to make sure the keyboard language settings having changed for some reason

 

[Una]

Due to what I used it for - there was only root (at least if I did set up other accounts I've forgotten about them by now)

I thought I wasn't able to reset the password at lower run levels? AFAIK I thought the only way to recover from this was to remove the main drive, rewrite the security descriptors for the drive and delete the root password - other ideas?

No there are a million ways to change the password if you have physical access to the box. /etc/passwd /etc/shadow are the files which store your password not /usr/passwd as billy said.

As mentioned above however booting to a lower runlevel and using root to change it can do. If you can't do that just use a livecd and mount the fs or something like http://www.piotrbania.com/all/kon-boot/ ..

SELINUX / grsec patches however can complicate stuff if its been locked down even further..

 

[Captain-Fungi]

If you have NAT on your router I doubt anybody brute forced your SSH login. Once you gain access take a look at your auth.log file (IIRC) and look for any failures. Be carful though, if it has been hacked you could have a rootkit or something along those lines, in which case it is probably best to reformat.

If your SSH is open to the dangerous wild world I would seriously consider running DenyHosts, which will limit the amount of SSH attempts from source IPs and will automatically provide you with a blacklist of dangerous source IPs. Good bit of software.

 

[Nefarious]

That's the thing - SSH should not be possible from WAN. All inbound services are denied other than IM and BT.

It's quite a puzzler... The only thing that I can think of, given the fact that my router seems to be unaffected, is that they hacked a windows machine on my network which then went on to do naughty things but that seems awfully convoluted and over the top for my warez etc

 

[Nefarious]

I don't have access to a USB adapter at the moment so can't attach a keyboard so am going to try an SSH brute force to get back in over the network, anyone have any recommendations?

I tried Arudius Live CD but it didn't seem to work with my computer's onboard NIC card or my wireless card. Does it not auto configure the cards or....?

 

[Nefarious]

Right... I configured my cards (really not used to the slackware ways) and even got airsnort working which was interesting.

I spent ages trying to work out why it wasn't playing ball and eventually found out that the cross over patch cable was at fault, grrr. I think I'm going to call it a night for now.

As far as the Arudius package goes - it's damned cool. I'd have prefered in a different flavour of Linux but that's just because I know very little of slackware. Had a bit of a play with some of the bits of software and they might come in useful at some point.