Often numerous people have access to an account, developers, owners, system administrators.
Occasionally they do things, they maybe shouldn’t – like changing the password – leaving all other people in the loop out.
When this happens its always good to make sure that you know who changed that password – because if it was not you, it was potentially an exploit of some sort
Its fairly hard to track down exactly WHO did this, however its easy to work out WHEN it happens, which allows you to look up other things to determine who
To determine when the password was changed you can check the /etc/shadow file . It looks like this
username:$6$grTvfe/KEnCrYpTeDPaSsWoRd5.:18449::::::
The random number on the end of that tells you when that password was changed. You can use it like this
root@hostname:~# date --date '1970-01-01 +18449days'
Mon Jul 6 00:00:00 UTC 2020
There is a much easier way to do this of course, and that would be like this
root@hostname:~# chage -l username
Last password change : Jul 06, 2020
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : -1
Maximum number of days between password change : -1
Number of days of warning before password expires : -1
Now we know what date to look we can look at places like /var/log/auth.log or /var/log/secure and see things like this
$ zgrep "password changed" /var/log/auth.log
/var/log/auth.log:Jul 6 21:48:03 username passwd[2245]: pam_unix(passwd:chauthtok): password changed for username
This gives us an exact time – at which point you can look up logs for who logged in via SSH to change that
Jul 6 21:47:46 hostname sshd[2232]: Accepted publickey for root from 65.99.223.255 port 46284 ssh2: RSA 95:ef:8b:8f:21:04:82:76:f6:c6:7a:57:db:ac:ac:ac Jul 6 21:47:46 hostname sshd[2232]: pam_unix(sshd:session): session opened for user root by (uid=0)
You may even see something like this instead
sudo: daniel : TTY=pts/1 ; PWD=/home/denial ; USER=root ; COMMAND=/usr/bin/passwd root
So Daniel logged in and ran sudo to change the password
So now we know they logged in as root, or daniel and the IP they came from. ‘whois’ tool can tell you what location approximately that IP is, and you can check if that was one of your own guys, or an exploit.
passwd -n 9999 user
will prevent user
from changing his password for many years. which may be an option to stop that happening.
Database passwords are much harder to diagnose. If somebody set the root password though you could see if that was via command line with something like this to give you an idea
grep -i -e "password" /home/*/.mysql_history /root/.mysql_history