I'm locked out of my main account, its suddenly become unreadable, and the super user password is no longer working

Question

I'm locked out of my main account, its suddenly become unreadable, and the super user password is no longer working. I have a few other users on the machine, so I can get in there, but can't do anything because the root password has changed. I can't even read my main users home directory. I don't know if this is connected, but suddenly my installed PPAs had lost their GPG keys and I kept getting errors about that when I ran apt-get update. Well not all of them, but a lot of them.

Is there anything I can do like boot up from a pentesting distro like tails and see whats going on? Only my home directory is encrypted. I have loads of unbacked up data on my machine, I can't just reinstall the OS now. I'm in trouble if I can't fix this. I don't know what to do, I've never experienced anything like this before, and I used to have an external harddrive so I would just reinstall if this happened but I can't do that in this case.

I'm booting up with a live CD right now, I read that you can just edit the /etc/shadow and erase the root users password. I'm hoping this still works. I'm in the /etc/shadow file now and I see the root user has a ! as its password. I read that if I delete that, then no more root password. That still doesn't solve the problem of my encrypted home directory being in accessible. Can I change my users password by making a new hash and replacing it with the hash in the shadow file?

UPDATE: I edited the shadow file and was able to set a new root password. But then I couldn't seem to use the root passowrd. Theres also a /etc/shadow- file, and the root user is assigned a number for a password there.

Only my main user has been locked down, the file permissions of my home directly somehow changed to dr-x-----. I'm still the owner of the directory. I can sudo into the home directory but its encrypted. chkrootkit says that tcpd is infected, but nothing other than that.

Lynus gave me 3 warnings that were minor.

Answer 1

It is possible that you machine was hacked.

If so, I'd suggest:

• Disconnect it from the internet
• Recover root password using the answers here
• Remove the pen-drive
• Restart the machine
• Boot into your machine using the root password
• Change your main-user password, and try to login into the account
• Backup your data to external disk

• If you managed to backup all your data, or if the data on your main account is NOT needed:

  • Format your disk and re-install Ubuntu

• If the data on your main account in needed, and you didn't manage to get it:

  • Open a new question and provide more data about the status and your problem with decryption of the data in the main account (Now that you have root access to your machine, and maybe even can login into your account)

Answer 2

The problem is fixed. It turns out I didn't something very insane. I was supposed to run chown www-data:www-data -R /var/html/www but instead I accidentally ran it on my home folder recursively giving ownership of everything to www-data. I learned a lot of valuable debugging information which I will provide. Maybe not here, maybe as part of an article since I started writing them.

What fixed the problem with me being locked out of my encrypted harddrive, was I needed to chown me:me to the directory ./.encryptfs/${USER}/.Private. I noticed it was owned by www-data, so I instantly knew what the source of the problem was.