Guest uziamawe Posted December 29, 2006 Report Share Posted December 29, 2006 Hi all! Can someone help. I have used mandrake since few years now and I am having a serious problem with Mandriva 2007. After doing a fresh install and setting up all my websites which are already working without trouble for few weeks now. Being busy doing other things felt I need to reboot the server because it has run for few weeks without being rebooted. Today I rebooted it and I was unable to login in my admin account. I tried loging in as root and was also refused. The only other way to be allowed login was to log in using one of my clients' account. I changed the password for my admin account four times, but each time I try to log on the server using my admin account I am not being allowed. This happened again log time ago and I was forced to do a new install. At that time I had thought the problem happened because I did not do a fresh install but just upgraded the server from Mandrake 2005 to Mandriva 2007. Now I am worried that that one may have hacked my system. The chkrootkit which was installed immediately after the server finished being configured shows the following: chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not tested Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not infected Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not found Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not infected Checking `vdir'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.8.8/i386-linux/auto/Pod/Parser/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux/auto/Mail/SpamAssassin/.packlist /usr/lib/ooo-2.0/program/.testtoolrc /usr/lib/latex2html/docs/.latex2html-init Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for OBSD rk v1... nothing found Searching for LOC rootkit... nothing found Searching for Romanian rootkit... nothing found Searching for HKRK rootkit... nothing found Searching for Suckit rootkit... nothing found Searching for Volc rootkit... nothing found Searching for Gold2 rootkit... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for Madalin rootkit default files... nothing found Searching for Fu rootkit default files... nothing found Searching for ESRK rootkit default files... nothing found Searching for rootedoor... nothing found Searching for ENYELKM rootkit default files... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... Checking `rexedcs'... not found Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient) Checking `w55808'... not infected Checking `wted'... chkwtmp: nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... chklastlog: nothing deleted Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 3013 tty7 /etc/X11/X -br -deferglyphs 16 -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-k3icYl ! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS ! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS ! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS ! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS ! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS ! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS ! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS ! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS ! -DHAVE_VERSION 0 USERDIR -DHAVE_VHOST_ALIAS chkutmp: nothing deleted Below are my questions: 1. Can someone tell me if they see any normalities anywhere in the report above. 2. I noticed the following, that this mean the system is infected : Checking `inetd'... not tested Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected I checked the server and found that it is using xinetd instead on inetd. Please note that my security is set at legal 5. 3. Can someone advise as to what I should do to be able to login again in my admin account at boot console. Thanks. John [moved from Hardware by spinynorman] Quote Link to comment Share on other sites More sharing options...
ffi Posted December 29, 2006 Report Share Posted December 29, 2006 Root logins are not allowed by default, you need to change /etc/kde/kdm/kdmrc too allow root logins (search the text and set to true) Quote Link to comment Share on other sites More sharing options...
Mhn Posted December 29, 2006 Report Share Posted December 29, 2006 are you trying to ssh to the server or logging in locally on it? Via X or whitout? Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted December 29, 2006 Report Share Posted December 29, 2006 I've deleted your duplicate post, please only post once. Thanks. Quote Link to comment Share on other sites More sharing options...
pmpatrick Posted January 10, 2007 Report Share Posted January 10, 2007 All of what Mhn asked plus can you su to root in a console from a non-admin account? You should note that root logins are disable by default with ssh and with a gui. You have to login as an ordianry user and su to root in a console. Also, if you have your security level set at "5", I believe that is the "Paranoid" level and I'd imagine that root logins in general are prohibited there. It's a security measure. In order to breakin, some one would have to crack an ordinary user password and then crack your root password for root access. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.