sudo passwd on Ubuntu 11.10 strange behavior. Have I been rooted?

qwexar asked:

I’m in a really strange situation. A few hours ago Rackspace issued a ticket saying there’s a outbound flood originating from my server.

Thinking the server might have been rooted with a rootkit I ran chkrootkit scans and nothing showed up.

So I decided to change ssh password and this is what happened.

$ passwd <<username>>
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

When I did the exact same thing on another Ubuntu 11.10, this happened.

$ passwd <<username>>
Changing password for username.
(current) UNIX password:
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Hence, on one server ( suspected to have been attacked ) passwd command doesnt ask for “previous” password before changing the password. On the other server it does.

I checked nginx access logs and found http calls originating form “localhost”. I think there might be a suspicious script running on the server.

It could be possible that the system is compromised?

Lastly, I’d like to ask if someone knows of a good rootkit scan I could run on the server. I’m not asking for a silver bullet but something you guys usually use. I’m fairly new to server security.

Thanks guys!

My answer:


When you run passwd as root, you are not prompted for the old password. As any other user, you are prompted for the old password.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.