Re: passwords changed?
On Sat, 10 Apr 2004 04:22, sciencewhiz@juno.com wrote:
> Is there anything ordinary that can cause passwords to be changed? I tried
> to log in last night and sshd wouldn't accept either my user's password or
> my root password. When I got physical access this morning, I couldn't log
> into the console either.
>
> So, my first though is that I got rooted, and so I pulled the ethernet
> cable. However, I thought that the idea of a rootkit was to hide any
> evidence. So, changing the passwords wouldn't be something "normal"
Root kits are often used by people who are a lot less intelligent than the
people who wrote them. Also there is no requirement that someone who cracks
your machine install a root kit.
When was the last time you could login? Have you done any changes since then?
Try copying the /etc/passwd and /etc/shadow to a test machine and see if it
lets you login then (IE test if it is actually a password change or something
broken in PAM etc).
> The system is actually Redhat 8.0 (not my choice) fully up to date, or as
> up to date as redhat lets you get nowadays. The 2 services running are sshd
> and proftpd. I'm definetly putting debian on it, if it does turn out to be
> rooted.
What versions of sshd and proftpd? Both of them have had security issues at
various times.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: