Hi all!

Can someone help.

I have used mandrake since few years now and I am having a serious problem with Mandriva 2007.

After doing a fresh install and setting up all my websites which are already working without trouble for few weeks now.

Being busy doing other things felt I need to reboot the server because it has run for few weeks without being rebooted. Today I
rebooted it and I was unable to login in my admin account. I tried loging in as root and was also refused.

The only other way to be allowed login was to log in using one of my clients' account.

I changed the password for my admin account four times, but each time I try to log on the server using my admin account I am not being allowed. This happened again log time ago and I was forced to do a new install. At that time I had thought the problem happened because I did not do a fresh install but just upgraded the server from Mandrake 2005 to Mandriva 2007. Now I am worried that that one may have hacked my system. The chkrootkit which was installed immediately after the server finished being configured shows the following:

chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.8/i386-linux/auto/Pod/Parser/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux/auto/Mail/SpamAssassin/.packlist /usr/lib/ooo-2.0/program/.testtoolrc /usr/lib/latex2html/docs/.latex2html-init

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... Checking `rexedcs'... not found
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 3013 tty7 /etc/X11/X -br -deferglyphs 16 -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-k3icYl
! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS
! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS
! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS
! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS
! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS
! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS
! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS
! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS
! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS
chkutmp: nothing deleted

Below are my questions:

1. Can someone tell me if they see any normalities anywhere in the report above.

2. I noticed the following, that this mean the system is infected :

Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected

I checked the server and found that it is using xinetd instead on inetd. Please note that my security is set at legal 5.

3. Can someone advise as to what I should do to be able to login again in my admin account at boot console.

Thanks.

John


[moved from Hardware by spinynorman]

Root logins are not allowed by default, you need to change /etc/kde/kdm/kdmrc too allow root logins (search the text and set to true)

are you trying to ssh to the server or logging in locally on it? Via X or whitout?

I've deleted your duplicate post, please only post once. Thanks.

All of what Mhn asked plus can you su to root in a console from a non-admin account?

You should note that root logins are disable by default with ssh and with a gui. You have to login as an ordianry user and su to root in a console. Also, if you have your security level set at "5", I believe that is the "Paranoid" level and I'd imagine that root logins in general are prohibited there. It's a security measure. In order to breakin, some one would have to crack an ordinary user password and then crack your root password for root access.