server hacked?

S

sander815

Verified User
Joined
Jul 29, 2003
Messages
474
i am having troubles with my server. Last night i couldn't login because the server was unreachable by ssh, also after hard reset with the APC. This morning ssh is working again, only the password for admin is not accepted anymore by the server. I disabled direct root login, so thats not an option
Logging into DA is not working either, cause the pass is wrong also.....

I am 100% sure i did not change the pass, i am the only admin. Everything else is working normally as fas as i can see. Am i hacked or what?
 
Possibly. Do website still load properly? A better way to tell would get direct console access to the machine and investigate, or get someone at your datacenter do it if it's not within a reasonable traveling distance.
 
Last edited:
everything is working fine

i can ssh with a login from another domain, but cannot su - ...
 
What is the change date on /etc/shadow assuming you are using shadow passwords, or /etc/password if you are not using shadow passwords. It is possible to modify the files without appearing like the date changed, so that is not 100%.

You could always have the datacenter or you if you are close enough, boot with a rescue disk, mount the root partition and compare/replace the /etc/passwd and /etc/shadow files. If the password entry for the root user does not match your backup, then replace the file(s) with your backup.

If it was hacked, then you need to really consider reloading the OS and data, since anything could be suspect at that point.
 
You must log in or register to reply here.
Back
Top