8
2
Long story short, after a recent company "reorg" the root password on all of our servers was mysteriously changed. I need to figure out first how to regain root access, but second how to figure out what happened (eg. when was the password changed, and who the &@^% did it).
I can find plenty of answers to the question "how do I recover a root password", but not so many to the question "who changed my root password and when was it changed", so that is my main question, although other suggestions and comments are welcome as well.
4If the person who changed the root password was just misguided, this will tell you when it was done, and possibly who (by seeing who just ran sudo or su; of course, if they logged in as root on the console, there's no direct way to see who did it). But if the person was malicious, they could have erased the logs, or even planted misinformation. – Gilles 'SO- stop being evil' – 2010-09-02T19:29:56.297
@Gilles nice addition +1 – BloodPhilia – 2010-09-02T19:32:45.197