On Sat, 10 Apr 2004 04:22, [EMAIL PROTECTED] wrote: > Is there anything ordinary that can cause passwords to be changed? I tried > to log in last night and sshd wouldn't accept either my user's password or > my root password. When I got physical access this morning, I couldn't log > into the console either. > > So, my first though is that I got rooted, and so I pulled the ethernet > cable. However, I thought that the idea of a rootkit was to hide any > evidence. So, changing the passwords wouldn't be something "normal"
Root kits are often used by people who are a lot less intelligent than the people who wrote them. Also there is no requirement that someone who cracks your machine install a root kit. When was the last time you could login? Have you done any changes since then? Try copying the /etc/passwd and /etc/shadow to a test machine and see if it lets you login then (IE test if it is actually a password change or something broken in PAM etc). > The system is actually Redhat 8.0 (not my choice) fully up to date, or as > up to date as redhat lets you get nowadays. The 2 services running are sshd > and proftpd. I'm definetly putting debian on it, if it does turn out to be > rooted. What versions of sshd and proftpd? Both of them have had security issues at various times. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
