Problem logging into Mandriva 2007

[Guest uziamawe]

Hi all!

 

Can someone help.

 

I have used mandrake since few years now and I am having a serious problem with Mandriva 2007.

 

After doing a fresh install and setting up all my websites which are already working without trouble for few weeks now.

 

Being busy doing other things felt I need to reboot the server because it has run for few weeks without being rebooted. Today I

rebooted it and I was unable to login in my admin account. I tried loging in as root and was also refused.

 

The only other way to be allowed login was to log in using one of my clients' account.

 

I changed the password for my admin account four times, but each time I try to log on the server using my admin account I am not being allowed. This happened again log time ago and I was forced to do a new install. At that time I had thought the problem happened because I did not do a fresh install but just upgraded the server from Mandrake 2005 to Mandriva 2007. Now I am worried that that one may have hacked my system. The chkrootkit which was installed immediately after the server finished being configured shows the following:

 

chkrootkit

ROOTDIR is `/'

Checking `amd'... not found

Checking `basename'... not infected

Checking `biff'... not found

Checking `chfn'... not infected

Checking `chsh'... not infected

Checking `cron'... not infected

Checking `crontab'... not infected

Checking `date'... not infected

Checking `du'... not infected

Checking `dirname'... not infected

Checking `echo'... not infected

Checking `egrep'... not infected

Checking `env'... not infected

Checking `find'... not infected

Checking `fingerd'... not found

Checking `gpm'... not found

Checking `grep'... not infected

Checking `hdparm'... not infected

Checking `su'... not infected

Checking `ifconfig'... not infected

Checking `inetd'... not tested

Checking `inetdconf'... not found

Checking `identd'... not found

Checking `init'... not infected

Checking `killall'... not infected

Checking `ldsopreload'... not infected

Checking `login'... not infected

Checking `ls'... not infected

Checking `lsof'... not infected

Checking `mail'... not infected

Checking `mingetty'... not infected

Checking `netstat'... not infected

Checking `named'... not infected

Checking `passwd'... not infected

Checking `pidof'... not infected

Checking `pop2'... not found

Checking `pop3'... not found

Checking `ps'... not infected

Checking `pstree'... not infected

Checking `rpcinfo'... not infected

Checking `rlogind'... not found

Checking `rshd'... not found

Checking `slogin'... not infected

Checking `sendmail'... not found

Checking `sshd'... not infected

Checking `syslogd'... not infected

Checking `tar'... not infected

Checking `tcpd'... not infected

Checking `tcpdump'... not infected

Checking `top'... not infected

Checking `telnetd'... not found

Checking `timed'... not found

Checking `traceroute'... not infected

Checking `vdir'... not infected

Checking `w'... not infected

Checking `write'... not infected

Checking `aliens'... no suspect files

Searching for sniffer's logs, it may take a while... nothing found

Searching for HiDrootkit's default dir... nothing found

Searching for t0rn's default files and dirs... nothing found

Searching for t0rn's v8 defaults... nothing found

Searching for Lion Worm default files and dirs... nothing found

Searching for RSHA's default files and dir... nothing found

Searching for RH-Sharpe's default files... nothing found

Searching for Ambient's rootkit (ark) default files and dirs... nothing found

Searching for suspicious files and dirs, it may take a while...

/usr/lib/perl5/5.8.8/i386-linux/auto/Pod/Parser/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux/auto/Mail/SpamAssassin/.packlist /usr/lib/ooo-2.0/program/.testtoolrc /usr/lib/latex2html/docs/.latex2html-init

 

Searching for LPD Worm files and dirs... nothing found

Searching for Ramen Worm files and dirs... nothing found

Searching for Maniac files and dirs... nothing found

Searching for RK17 files and dirs... nothing found

Searching for Ducoci rootkit... nothing found

Searching for Adore Worm... nothing found

Searching for ShitC Worm... nothing found

Searching for Omega Worm... nothing found

Searching for Sadmind/IIS Worm... nothing found

Searching for MonKit... nothing found

Searching for Showtee... nothing found

Searching for OpticKit... nothing found

Searching for T.R.K... nothing found

Searching for Mithra... nothing found

Searching for OBSD rk v1... nothing found

Searching for LOC rootkit... nothing found

Searching for Romanian rootkit... nothing found

Searching for HKRK rootkit... nothing found

Searching for Suckit rootkit... nothing found

Searching for Volc rootkit... nothing found

Searching for Gold2 rootkit... nothing found

Searching for TC2 Worm default files and dirs... nothing found

Searching for Anonoying rootkit default files and dirs... nothing found

Searching for ZK rootkit default files and dirs... nothing found

Searching for ShKit rootkit default files and dirs... nothing found

Searching for AjaKit rootkit default files and dirs... nothing found

Searching for zaRwT rootkit default files and dirs... nothing found

Searching for Madalin rootkit default files... nothing found

Searching for Fu rootkit default files... nothing found

Searching for ESRK rootkit default files... nothing found

Searching for rootedoor... nothing found

Searching for ENYELKM rootkit default files... nothing found

Searching for anomalies in shell history files... nothing found

Checking `asp'... not infected

Checking `bindshell'... not infected

Checking `lkm'... Checking `rexedcs'... not found

Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)

Checking `w55808'... not infected

Checking `wted'... chkwtmp: nothing deleted

Checking `scalper'... not infected

Checking `slapper'... not infected

Checking `z2'... chklastlog: nothing deleted

Checking `chkutmp'... The tty of the following user process(es) were not found

in /var/run/utmp !

! RUID PID TTY CMD

! root 3013 tty7 /etc/X11/X -br -deferglyphs 16 -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-k3icYl

! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS

! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS

! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS

! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS

! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS

! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS

! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS

! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS

! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS

chkutmp: nothing deleted

 

Below are my questions:

 

1. Can someone tell me if they see any normalities anywhere in the report above.

 

2. I noticed the following, that this mean the system is infected :

 

Checking `inetd'... not tested

Checking `inetdconf'... not found

Checking `identd'... not found

Checking `init'... not infected

 

I checked the server and found that it is using xinetd instead on inetd. Please note that my security is set at legal 5.

 

3. Can someone advise as to what I should do to be able to login again in my admin account at boot console.

 

Thanks.

 

John

 

 

[moved from Hardware by spinynorman]

[ffi]

Root logins are not allowed by default, you need to change /etc/kde/kdm/kdmrc too allow root logins (search the text and set to true)

[Mhn]

are you trying to ssh to the server or logging in locally on it? Via X or whitout?

[ianw1974]

I've deleted your duplicate post, please only post once. Thanks.

[pmpatrick]

All of what Mhn asked plus can you su to root in a console from a non-admin account?

 

You should note that root logins are disable by default with ssh and with a gui. You have to login as an ordianry user and su to root in a console. Also, if you have your security level set at "5", I believe that is the "Paranoid" level and I'd imagine that root logins in general are prohibited there. It's a security measure. In order to breakin, some one would have to crack an ordinary user password and then crack your root password for root access.