is it possible to change the root password on my mandrake 9.0 linux server? someone gained root access, changed the password.... etc...

Also trying to trace him

he didnt delete ALL the log files, all i noticed that seemed strange is the user.log file was blank, so he must of cleared that file out. Any other way to trace him?

Also, is there any way to find if he put anything on my server or w/e? (eg, illigeal warez etc) so i can delete them?

thanks

boot off a live cd
mount the / partition
chroot to it
and passwd root and change it to whatever

thanks, now to just find a way to track the dude

Or just enter linux single at the LILO prompt - it should boot into single user mode, without prompting for a password, and you can change the root password from there (using the passwd command)

got it, just remembered mandrake has failsafe, changed it with that

Or, format and reinstall, since you have no idea what else he changed (other system binaries have likely been infected by rootkits, ps is probably hiding processes from you, netstat is likely not showing you all servers, and heck, bash might have even been patched to disallow access to certain directories).

In short, once you've had a local root compromise, there's a very small chance of ever ensuring you completely clean your machine. Short of reinstalling.

Hopefully you have backups of any data you need (otherwise, you might be able to back it up now, assuming none of it got changed when the root account was misappropriated).

Besides, he got root once already. How do you know he won't just use the same vulnerability to get it again? Unless you patched the vulnerability...

ya, i did

i ssh'd in, backed up the htdocs and cgi docs from my server (everyrthing else can be recovered easy when reinstalled) and said screw mandrake, installed debian (reccomended for a server) and everything is working fine =)