On Sun, March 8, 2009 12:38 am, Dave Smith wrote: > Matthew Walker wrote: >> Several servers I help manage have recently developed a somewhat alarming >> habit. They >> have started modifying the root account to have no shell account, which of >> course >> makes >> it impossible to log into root. > > Is there any hint in the logs?
Not that I've been able to find. There's no evidence of anyone else being on the box. No unusual processes, no SSH logins from unknown IPS, or anything like that. I also can't find any log entries that correspond with the modification of the account. I'm highly suspicious that something in cPanel is responsible, since the way it locks out users is to remove their shell as well. But I haven't been able to confirm that. -- Matthew Walker Kydance Hosting & Consulting, Inc. - http://www.kydance.net/ PHP, Perl, and Web Development - Linux Server Administration /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
