A hacker changed my server password! Now what?

Here in the CodeCave I run a large Dark Net and report my findings to my Twitter followers. If you are not familiar with darknettin' this is the practice of having servers out on the Internet for bait to allow hackers to hack them. Folks do this for many different reasons but my reason is to learn the latest and greatest methods in use on the net today to break into networks.

Many times these servers are just trashed out. Hackers try to destroy them if they are discovered. I had a major exploit found in my FireFox add-in FlashGot. A hacker got in and trashed my system and then changed the password of the root account. Now this is a big deal since I need to log on to that server to gather the data to learn from this attack. Now what? I remembered a little physical access trick I learned a few years back at Linux users group conf from a guru. It works like this:

- Boot the system and get to the GRUB screen. I moved the arrow key so I did not go into normal boot mode.

- Select the version and hit the "E" key to edit the kernel

- Arrow key to the line that begins with Kernel and hit the "E" key

- At the GRUB Edit line, I just simply append the load string with a number 1. So it looks like this:

grub edit>/vmlinuz-2.5.9-22.DRnetsmp ro root=LABEL=/ rhgb quiet 1

- Now hit ENTER and B and the system will boot up into single user mode

- Newcastle time!!! A simple:

sh-2.5# passwd

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully

I got in and grabbed the data and released the forensics to the open source community. I think that is a great example of how we learn from each other. Users groups are a great place but also are open blog postings. Hey, share your knowledge here! Got any good tips and tricks we can all learn from?

Jimmy Ray

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022