>> > Thanks Mick. My host is big with multiple data centers of their own. >> > They did exactly as I asked and I'm running on new RAM. There was a >> > problem bringing my system back online and the cause was purported to >> > be an unseated ethernet cable. I handed over my root password as I >> > was requested to do, and then started to get paranoid. I suppose I >> > shouldn't though because with physical access to my machine they >> > pretty much have full access anyway, right? > >> Usually, physical access means they either have it or can get it pretty >> quick. Boot a CD/DVD, mount the partitions, chroot in, change password >> and reboot. Then, you don't have the password but they do. > > That's pretty obvious though. Physical access allows them to change your > password but not read it, so you'd know pretty soon if they'd been up to > anything. > > If they really do need the root password, you have to give it to them, > but that doesn't stop you changing it, and running a rootkit scan, as > soon as they've finished with it.
I've run chkrootkit, but I noticed: The file of stored file properties (rkhunter.dat) does not exist, and so must be created. To do this type in 'rkhunter --propupd'. I thought the best practice with a rootkit checker like chkrootkit was to not leave it installed on the system so you can run it as a clean install when the time comes? Do any of these warnings sound an alarm for anyone? I think the SSH warnings are OK because I have a normal user specified with AllowUsers and the config file says: # The default requires explicit activation of protocol 1 #Protocol 2 Here are the warnings: Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script text executable Warning: No output found from the lsmod command or the /proc/modules file: /proc/modules output: lsmod output: Warning: The SSH configuration option 'PermitRootLogin' has not been set. The default value may be 'yes', to allow root access. Warning: The SSH configuration option 'Protocol' has not been set. The default value may be '2,1', to allow the use of protocol version 1. Warning: Hidden directory found: /dev/.udev - Grant