I haven't had the timer for a full report, but, althought I'm not CLEAR that his box has been rooted, things like minor changes to su, and other wierd things failing are signs of a rootkit (yes, a clumsy one) being installed. Having su suddenly start to give different messages is a sign that SOMEBODY has changed SOMETHING.
If you can't show that you changed it, then you have to presume that somebody else has. At the very least, I think he should run something like chkrootkit to see if any well-known root kit is being used. Alan Bort wrote: > Well... I think bash actually has a builtin su... so if you reinstall > bash (not a very big package anyway)... it might help. since you've > already installed shadow again... > > Anyway... I agee with the (quote)'I'd just load a new OS and migrate the > user data over to it.'(/quote) idea... > > El mar, 15-07-2003 a las 12:38, Andrew Langdon-Davies escribió: > >>>>>It sounds to me like you've been rooted, and somebody installed >>>>>a trojan. I'd do a full hunt for signs of a rootkit. When in >>>>>doubt (especially if there are ony a few people on your system), >>>>>I'd just load a new OS and migrate the user data over to it. >>> >>>I don't want to sound like Pollyanna, but interpreting your initial >>>trouble report as evidence of a breakin seems to me like an enormous >>>leap. >>> >>>>I thought reinstalling shadow had put everything right, but there are >>>>still hiccups. For example, although I can now su again --that is, it >>>>now recognises the password-- if I give the wrong password I still get >>>>just 'sorry'. -- Stephen Samuel +1(604)876-0426 [EMAIL PROTECTED] http://www.bcgreen.com/~samuel/ Powerful committed communication. Transformation touching the jewel within each person and bring it to life. - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs