1

My small office's server was under attack yesterday and today and apparently the hacker gained access through a weak password (i.e. I am to blame entirely). The moment I noticed this, I fysically disconnected the server from the internet and changed all the user passwords (with kpasswd), and the root password (with usermod -p).

I had no internet to consult and was a little stressed out, which is why I entered the plaintext password instead of the encrypted hash I was supposed to enter.

Does anybody know how I can 'compute' the un-hashed plaintext?

zenlord
  • 197
  • 1
  • 8
  • I would rebuild a server from scratch after an attack. You don't know what the attacker did to anything. If it's a file server or a web server, you can easily migrate files (after looking deeply at them). It's worth the little bit of time. – mbrownnyc Jan 15 '14 at 15:07
  • I have already asked my system admin to have a deep look and it was about time to buy a new server, so this will be the occasion to do just that. In the meanwhile I would like to at least monitor suspicious activity, whichis what I need the root password for :( – zenlord Jan 15 '14 at 15:14

1 Answers1

3

First of all, It was good point about reinstalling server from scratch.

If you have set your encrypted root password in /etc/shadow, there is no efficient way to guess It, because It is encrypted using cryptographic hash function. If you have set it to some plaintext value, the password will be threated as invalid and will not be accepted anyway, because passwords in shadow database are stored in particular format.

If you have physical access to server, you can reboot In single user mode via bypassing kernel option single (or init=/bin/bash for Ubuntu), there is a tutorial. Then you can change your root password by using passwd and reboot system to access it as usual.

The good practice is to avoid root access via ssh and use sudo to gain superuser privileges. Also you can disable password authentication for OpenSSH and switch to Public key authentication.

UPD: I don't have enough reputation to answer to your comment, so updating the answer: you can boot to single user mode by changing kernel boot parameters in bootloader. It doesn't require password unless you had set up the one for Grub. Please check out the tutorial I've mentioned above to perform single user boot.

Vladimir Protasov
  • 43
  • 5
  • Thank you for your comment - I had completely forgotten to reboot in single-user mode. Unfortunately, one has to enter the root passwd before entering the single-user-mode (Press CTRL+D for maintenance or...). – zenlord Jan 15 '14 at 19:39
  • 1
    @UPD: the single-user-mode is a no go: I need to supply the root password to go into 'maintenance'. This is with typing 'linux single' at the LILO prompt. My system admin reminded me that he had added me to the sudoers file and had elevated my privileges. I was able to change the root passwd using sudo - otherwise I would have been completely locked out of root access to my server... Thx for thinking with me (+1), but your reply did not solve my problem. – zenlord Jan 16 '14 at 18:07