root password being hacked.


Mar 16, 2006
The way you said it, do you mean it keeps getting hacked when you change it, or keeps getting changed constantly?

If so, you're being HACKED. Calm down, it happens.

I would advise connecting to SSH via putty. Run "w", and "netstat -nalp |grep "SHPORTHERE" to see whos connected using SSH.

There may be PHPShells, rootkits etc on your server. I would advise running 'cat /path/of/your/web/logs/* |grep "/x90/' to look for shell code.

Search for running perl scripts 'ps -aux | grep perl'.

I would also login to whm (if you can) and look at wheel group users, as well as viewing any resellers, and double checking no one else has root privileges (if they do, they can reset your root pass).

Also, are you using the root password elsewhere? For anything else at all? Perhaps a billing system .e.g. WHMAutoPilot etc?


Active Member
Oct 20, 2006

1. Use strong passwords (min 16 symbols). Use tools like pwgen.
2. DO NOT connect with root from public locations, and also USE certificates, not login with passwords!
3. Monitor your servers with tools that can verify processes, quotas and user activity (IRC bots, other hacking or exploit tools).
4. Allow only one user to have shell access - root.
5. Learn LINUX, cause you must or you will always be away from the subject and hacked.
6. Hosting is the battlefield in the war of the Internet, and you, as an administrator collect all the bullets from all.


PS: F*** or die, learn Linux or cry :)