Could my root password have been changed by some malware?

[monkeyman]

My root password has been changed form the original one I use since it does not work any more. Also two new users 'atv' and 'test' has been added and that was not done by me either. I downloaded an mp3 file from thighswideshut.org though Firefox had warned me it was an attack site. I use Fedora 12 and has not logged in as root. Why could this have happened? And only I use my computer and no one knows my passwords?

[bigtomrodney]

I would doubt that the problem was malware for two reasons:

• Not many people are writing malware for Linux, certainly next to none in the wild
• IF you downloaded it you would have had to manually execute it

What might be more likely is that someone guessed your password, connecting in via ssh. If you had ssh running and had a simple-ish password this is quite likely. Also it would be normal to disable root logins over ssh so it may be that they got in via your account and used su/sudo to do the work.

Does this sound likely to you? Are you behind a NAT router and if so do you have your ssh ports forwarded?

[monkeyman]

I am sure that I am the only one who use my computer. But my password was simple.

[bigtomrodney]

Are you connected to the internet? ssh is a network service that allows remote access to a Unix/Linux server. Unfortunately its greatest strength can be its greatest weakness. If you don't intend using it you can turn it off to be safe. At this point you can decide whether you want to try to recover the system or take the more extreme (but probably more sensible) approach of reinstalling your system.

[monkeyman]

Yes my computer is connected to net. How do I turn it off? Will it require root password? I will reinstall if required.

[ixil8zyixi]

Try booting into single user mode and change passwd, that should help u from having to reinstall. and if you really want to disable root login via ssh;
vi /etc/ssh/sshd_config change line PermitRootLogin no

Goodluck

[Mudgen]

If you can't reset the root password using ixil8zyixi's advice, boot your F12 install cd with "rescue installed system" option. Do the suggested "chroot /mnt/sysimage" and then "passwd root".

Then I recommend installing and configuring the denyhosts package. This will lock out "doorknob twisters". Your /var/log/secure file may offer some clues on how this happened.

[Route]

well there are a variety of solutions here.

first and foremost, there's no good thing about someone else using your system to do things. You wouldn't want people sending and receiving mail from your home address, it's the same from your mac address. if you're connected to your internet through a cat5 cable, remove that cable. if you're connected wirelessly, disable the radio.

Your system *is* most likely compromised. There are several ways to save yourself here.

This post should help
linuxforums,org/articles/howto-recover-root-password_54.html
I intentionally messed up the URL because I haven't actually made 15 posts, as I haven't had 15 problems with Linux worth posting about shockingly enough... although I would think I'd let my own website be linked in-house guys come on now

[kurtdriver]

You really ought to re-install. You have a good reason to think that someone has been inside your computer, but you don't know what they've done, in addition to changing the root password and adding a couple new users. There could be a rootkit installed, compromised versions of ls or ps. Maybe a keylogger? After re-installing, immediately install a program called rkhunter
[root@yourbox ~]#yum install rkhunter
and then run it with the --propud option.
[root@yourbox ~]#rkhunter --propud
Rkhunter will make a baseline file which tells it what software is installed and is updated when you use yum for your daily updates. I like to make a cron job of rkhunter, with a daily run of --check and a monthly of --update.

[Route]

I do agree that a reinstall may be a very important thing (especially if the passwd program is what is edited, might be worth looking into)

You probably want all those files on there though. I know I would, and if you need root to get at some of them you can use that thread. Once you've got everything you need it's a good time to gparted the whole thing.

This would also be a good time to invest in some wireless security, a package called firestarter is decent enough for internal software firewall, and your NAT/router security would be good to work on. If it's not encrypted, it's a good time to start!