On Mon, 2003-08-25 at 18:00, Swapana Ghosh wrote: > Hi > > One of our server(redhad 7.1) we login as > > telnet domain.com > user : admin > pass : - > > su - root > root passwd > > but today i found something has been changed i can't > able > to enter to root as su - root > > i am entering as sudo bash > then again giving the admin passwd ... > > the /etc/pam.d/su file is as follows: > > #%PAM-1.0 > auth sufficient /lib/security/pam_rootok.so > # Uncomment the following line to implicitly trust > users in the "wheel" group. > #auth sufficient /lib/security/pam_wheel.so > trust use_uid > # Uncomment the following line to require a user to be > in the "wheel" group. > #auth required /lib/security/pam_wheel.so > use_uid > auth required /lib/security/pam_stack.so > service=system-auth > account required /lib/security/pam_stack.so > service=system-auth > password required /lib/security/pam_stack.so > service=system-auth > session required /lib/security/pam_stack.so > service=system-auth > session optional /lib/security/pam_xauth.so > ~
This looks normal. But I would be very(!) suspicious of any system where logins, particularly root, have mysteriously changed - especially given the way you are telnetting in the clear. I recommend you unplug your box from the network and go through the logs with great care, looking for any hint of something out of place. A good cracker will try to cover his tracks, so the indicators may be very subtle. I don't suppose you were running Tripwire? -- burns _______________________________________________ Linux-users mailing list [EMAIL PROTECTED] Unsubscribe/Suspend/Etc -> http://www.linux-sxs.org/mailman/listinfo/linux-users
