[lug] Possible compromise?
mohadib at ns2.taproot.bz
Sat Jan 18 18:05:03 MST 2003
On Sat, 2003-01-18 at 17:36, Rob Nagler wrote:
> I have a machine (offline) which may have been hacked. You can "su"
> without a password. I used checkrootkit.org's program (compiled on a
> clean machine) to check for a compromise, and it didn't detect
> anything. The reason I suspected anything was that I couldn't change
> my normal user password. I don't have the message, but we couldn't
> login any more except for root which could login (with ssh) with any
> password that wasn't blank. No special ports were open, and
> turning off PermitRootLogin for sshd had the right effect. You can't
> login via ssh as root (or anybody else now).
> I couldn't find any security releases which matched this signature.
> Any ideas?
I always find the init scripts a good place to start
More information about the LUG