> it could be pam configurations that allow anyone to login. or it could be > a trojaned c library that makes crypt return the salt, which is usually > just passed the encrypted password. did you see strace read the shadow > file? running ltrace might also give clues. is there a way to globally > check checksums for all installed packages? i'm not a deb user, so i am > not sure.
Yeah, I was going to say; there are many places where your binaries or configurations could be backdoored. If I were you, I'd get any data of importance off of that system and plan on rebuilding it, if you hadn't decided on that already. Trying to figure out what they did to your box is fun and all, but don't assume you'll get the system clean without a reinstall. If you still plan on investigating the system for curiosity's sake, here's some thoughts: your box freezing up could have been due to the attacker trying to install a kernel-level root kit. You should try running rootkit hunter (rkhunter) as well as chkrootkit. Did the attacker nuke your root user's .bash_history file? If not, maybe there will be some clues in there as to what they did. If they did nuke it, perhaps you'll find it partly intact on the filesystem still using tools like The SleuthKit. (You'd think something so obvious would be wiped right away by any attacker, but in reality, most are not terribly smart and/or don't care if they're discovered since you'll never catch them anyway.) good luck, tim _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
