In our tutorial for setting up a new server, we defined the root user as “the administrative user with heightened privileges to all rights and permissions on the server.” A root compromise is simply a security breach that has affected your server at the root, or admin, level.
Step 1 – Identify the Compromise
Information security engineer at Wells Fargo, Vernon Haberstetzer, provides a few common pieces of evidence that could indicate that your system has been hacked:
Suspicious-looking user accounts. These tend not to follow your company’s conventions for valid user accounts. Audit logs (if available) should be able to tell you who created them. Regardless, they should be disabled and investigated.
Rogue applications. Incoming connections can be used as a backdoor for hackers. Tools such as TCPView or Fpipe (Windows) and netstat or Isof (Unix) will show you what applications are using open ports on your system. Make sure you scan your compromised server from another machine, if possible.
OS job scheduler anomalies. Malware sometimes launches from the operating system’s job schedule. To look for anomalies on a Windows system, go to a command prompt and type AT. On a Unix system, check the job list using the cron or crontab commands.
Rootkit access. Hackers also prey on systems using vulnerabilities in either your operating systems or your applications. However, there are so many rootkits that it’s difficult to find the files they’ve modified. Tools, such as chrootkit, can help you with that.
The Ubuntu wiki adds the following things to look for in your log files:
Incorrect time stamps. To mask their activities, hackers will often copy and paste legitimate log files over another, creating a timestamp discrepancy.
Missing log files. A less subtle way of hiding activities – or the nature of those activities – is to simply delete the log file. If you’re missing a file, you can be reasonably sure it’s not an accident.
Partially sanitized log files. If your logs are missing more than 5 minutes of time at any stretch, it’s a clear indication that someone removed them to hide what they were doing.
Engineers at OmniTraining suggest that if you’re running Unix – and you’ve kept current with your kernel patches – you won’t necessarily need to reformat and reinstall the OS in the case of a user account compromise. Disabling the suspicious account should be enough, as long as there’s no evidence of a root compromise.
However, changing your root password is a prudent precaution to take, no matter how insignificant the breach seems to be on the surface.
Step 2 – Change Your Root Password
Log in as root directory. Type “su” or “su root” at the terminal prompt.
Enter the current root password. Don’t be alarmed if nothing displays as you type. This is normal and intentional for security reasons.
Type the command “passwd” at the root prompt.
Enter your new password; then enter it again at the confirmation prompt.
Log out by typing the “exit” command.
Log into your system as Administrator.
Enter Ctrl-Alt-Delete. The Ctrl-Alt-Delete key combination will bring up a prompt that takes you to the change password screen.
Change the Windows administrator password by completing the form.
Step 3 – Tighten Your Security
Once you’ve changed your root password, make sure you’ve completed these steps from our previous article:
Create user accounts. Minimize the use of root accounts by creating normal user accounts that have limited access to the system to prevent the server from being compromised or mistakenly damaged. If you haven’t already done so, consider creating user accounts once you’ve changed the root password.
Ban outside IPs. To protect your server from intruders, download software that will ban IPs that present inherent danger, such as too many login attempts. Fail2ban, for instance, reduces the rate of incorrect login attempts; however, it cannot eliminate the risk that weak authentication presents.
Configure your firewall. Install security and firewall software to help limit access to the server and temporarily block potential intruders.
Consequences of root compromise attacks
In addition to direct loss of revenue, the costs of repairing or rebuilding data, and losing both your external and internal customers’ confidence, your compromised server and sites can be used to enable larger-scale attacks, such as a Denial of Service.
If your business is small to midsize, don’t make the mistake of thinking you’re safe from attack. According to some experts, nearly 60% of online attacks in 2014 targeted small and midsized businesses. This is partly because these businesses are easy to hack. According to an article by Constace Gutske, writer for the New York Times, “Limited security budgets, outdated security and lax employees can leave holes that are easily exploited by ever-more-sophisticated digital criminals.”
The bottom line for any business is that the best, least costly way of dealing with a cyber attack is simply to prevent it.
Updated: January 2019