[lug] Possible compromise?

Rob Nagler nagler at bivio.biz
Sat Jan 18 17:36:37 MST 2003


I have a machine (offline) which may have been hacked.  You can "su"
without a password.  I used checkrootkit.org's program (compiled on a
clean machine) to check for a compromise, and it didn't detect
anything.  The reason I suspected anything was that I couldn't change
my normal user password.  I don't have the message, but we couldn't
login any more except for root which could login (with ssh) with any
password that wasn't blank.  No special ports were open, and 
turning off PermitRootLogin for sshd had the right effect.  You can't
login via ssh as root (or anybody else now).

I couldn't find any security releases which matched this signature.

Any ideas?

Thanks,
Rob





More information about the LUG mailing list