[WBEL-users] Password changing overnight.

Graham Waring liverbird89@hotmail.com
Tue, 17 Aug 2004 12:24:14 +1000 

G'day all,

I agree here, in my 8 years experience in linux I have not had a root 
password change itself.....not yet anyway...but never discount anything!  My 
money is on some smart-arse changing it for you.  To identify the smart-arse 
check the usuall output of last and history and also have a look at 
/var/log/wtmp.  (You probably do this anyway but) cd to /var/log and run 
tmpdump wtmp and check its useful output.  Your issue could be a major pain 
if you are remote and going into single user to change the root password 
involves a 2 hour drive and grub is password protected too!  If you have 
remote access, firstly disable root login via ssh so you have to go in as a 
normal user and then su to root, then ensure the logs for su are just you 
and not someone else.  Another suggestion (which is not really advisable but 
may help on an occaision or two) create a special user account and change 
its user id and group id to 0 in the /etc/passwd.  Then if you try to su to 
root and the password has changed, just su to your special user account and 
then change the root password.  You then run into the posibility of the 
smart-arse changing this accounts password too :(

Good luck
Graham



>From: Kirby Bohling <kbohling@birddog.com>
>To: Denis Croombs <denis@just-servers.co.uk>
>CC: whitebox-users@beau.org
>Subject: Re: [WBEL-users] Password changing overnight.
>Date: Mon, 16 Aug 2004 05:06:10 -0500
>
>On Mon, Aug 16, 2004 at 10:38:50AM +0100, Denis Croombs wrote:
> > I have a VERY strange problem some whitebox & Redhat 9.0 system change 
>their
> > ROOT passwords overnight, (not very often) this is a real pain, any 
>clues as
> > to why it should happen ? It also has happened for a normal user as well 
>but
> > that is easier to cope with.
> > I am currently helping 1 school with 8+ whitebox systems and 1 Redhat 
>9.0.
> > This has happened 3 times in 3 weeks on the Redhat 9.0 and 4 times on
> > Whitebox system over the last 4 weeks.
>
>Denis,
>
>	Uhhh, in 9 years of running Linux, the only time my root
>password has every changed is when I did it, or someone broke into
>my machine and had some fun at my expense.
>
>	If there is no remote access, it's still relatively easy to just
>reboot into single user mode and change the password.  Unless you
>have some odd password expiration setup, someone is changing your
>root password.  Have you tried putting it thru an MD5 password
>cracker?  I know one was posted to slashdot in the past month or so.
>
>	Are you just using straight up /etc/shadow passwords with
>standard file based authentication?  What are the symptoms that lead
>you to believe the password has been changed (I've had several times
>where LDAP problems that timed out acted like a password change).
>
>	Thanks,
>		Kirby
>_______________________________________________
>Whitebox-users mailing list
>Whitebox-users@beau.org
>http://beau.org/mailman/listinfo/whitebox-users

_________________________________________________________________
Play Love Hunt to win a $9000 holiday and find love!  
http://mobilecentral.ninemsn.com.au/mclovehunt/lovehunt.aspx