>Good. Now check for all the other places it could be in :>
I did an ls -alR | grep... and it came up clean.
>1. Modify the rc start up scripts to create a setuid shell
> somewhere.
clean...
>2. Create a root cron that does the same.
also clean. I checked all the cron jobs after finding /bin/ns set to run
every minute as root. I have no idea what it does/did, but I didn't put it
there, and it isn't running now.
>3. Put an innocuous looking entry in inetd.conf which actually
> starts a process as root for you.
just found this appended to the last line of the file, right after the qmail
entry I had installed the night before:
linuxconf stream tcp wait root /bin/linuxconf linuxconf --http
I certainly don't remember putting it there, so this makes me thing the
breach is worse than I at first thought. :/
>4. Create an innoucuous looking user (nobody4 is a goodie) with a
> uid of zero and a password you know.
>5. Install an old version of sendmail.
>6. Replace the passwd command with a wrapper that sends the username
> and password to a remote address.
>7. Modify your .profile to create a function for su that traps the
> root password and emails it somewhere.
Clean (for now)
Oh well, I'm learning a lot, which was part of the reason I built the server
in the first place. Thanks for the input.
PS> In case you are wondering, no, I'm not mailing from that server. I'm
on a different network all together. :)
