Is there anything ordinary that can cause passwords to be changed? I tried to log in last night and sshd wouldn't accept either my user's password or my root password. When I got physical access this morning, I couldn't log into the console either.
So, my first though is that I got rooted, and so I pulled the ethernet cable. However, I thought that the idea of a rootkit was to hide any evidence. So, changing the passwords wouldn't be something "normal" If it was rooted, I need to get some source code off it. Can I just stick the hard drive in another system, so I can get that source off of it, and diff it to my backups? The system is actually Redhat 8.0 (not my choice) fully up to date, or as up to date as redhat lets you get nowadays. The 2 services running are sshd and proftpd. I'm definetly putting debian on it, if it does turn out to be rooted. Thanks for any advice.
