I haven't had the timer for a full report, but, althought I'm not
CLEAR that his box has been rooted, things like minor changes to
su, and other wierd things failing are signs of a rootkit (yes,
a clumsy one) being installed. Having su suddenly start to
give different messages is a sign that SOMEBODY has changed
SOMETHING.
If you can't show that you changed it, then you have to presume
that somebody else has.
At the very least, I think he should run something like chkrootkit to see
if any well-known root kit is being used.
Alan Bort wrote:
> Well... I think bash actually has a builtin su... so if you reinstall
> bash (not a very big package anyway)... it might help. since you've
> already installed shadow again...
>
> Anyway... I agee with the (quote)'I'd just load a new OS and migrate the
> user data over to it.'(/quote) idea...
>
> El mar, 15-07-2003 a las 12:38, Andrew Langdon-Davies escribió:
>
>>>>>It sounds to me like you've been rooted, and somebody installed
>>>>>a trojan. I'd do a full hunt for signs of a rootkit. When in
>>>>>doubt (especially if there are ony a few people on your system),
>>>>>I'd just load a new OS and migrate the user data over to it.
>>>
>>>I don't want to sound like Pollyanna, but interpreting your initial
>>>trouble report as evidence of a breakin seems to me like an enormous
>>>leap.
>>>
>>>>I thought reinstalling shadow had put everything right, but there are
>>>>still hiccups. For example, although I can now su again --that is, it
>>>>now recognises the password-- if I give the wrong password I still get
>>>>just 'sorry'.
--
Stephen Samuel +1(604)876-0426 [EMAIL PROTECTED]
http://www.bcgreen.com/~samuel/
Powerful committed communication. Transformation touching
the jewel within each person and bring it to life.
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
