On Thu, 5 Mar 2009, Russell Senior wrote: > Even more disturbingly, su took me right to a root prompt. The > /etc/passwd and /etc/shadow appear to be intact. I immediately > assumed the worst and unplugged it from the network, booted a > live-cd and did some trolling through the filesystems. I found > evidence in /var/log/auth.log that two or three ssh-knockers had > logged in as root, but within a minute had logged out again. I > disregarded all the cool forensics stuff I learned at PLUG a month > ago.
How old is this Debian box? Have you run ssh-vulnkey to make sure your system and user keys aren't predictable ala CVE-2008-0166: http://www.debian.org/security/2008/dsa-1571 -- Paul Heinlein <> [email protected] <> www.madboa.com _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
