[lug] Possible compromise?

jdavis mohadib at ns2.taproot.bz
Sat Jan 18 18:05:03 MST 2003

On Sat, 2003-01-18 at 17:36, Rob Nagler wrote:
> I have a machine (offline) which may have been hacked.  You can "su"
> without a password.  I used checkrootkit.org's program (compiled on a
> clean machine) to check for a compromise, and it didn't detect
> anything.  The reason I suspected anything was that I couldn't change
> my normal user password.  I don't have the message, but we couldn't
> login any more except for root which could login (with ssh) with any
> password that wasn't blank.  No special ports were open, and 
> turning off PermitRootLogin for sshd had the right effect.  You can't
> login via ssh as root (or anybody else now).
> I couldn't find any security releases which matched this signature.
> Any ideas?
> Thanks,
> Rob

I always find the init scripts a good place to start


More information about the LUG mailing list