Compromised Machine
Brian D. McGrew
brian at doubledimension.com
Wed Sep 22 18:31:02 UTC 2004
Hello all ... I need a bit of advice here.
It would appear that one of our machines was compromised last night via
ssh. It turns out that one of our accounts called 'operator' didn't
have a password on it (Hey, it's not 'my' machine) and someone came in
via ssh. This was made obvious when we discovered the root password
had been changed and the 'last' showed two logins from overseas. The
machine was shut down immediately and they called me.
My questions are:
1) As an unprivileged user, how can someone change the root password?
Our operator account is the lowest privileged account on the system,
they can't shutdown, su or do anything. But the root password is
changed.
2) While bringing the machine back up, it hung while starting the
network on device eth0 with the error that said "Error loading module
ppp.o'. We don't use ppp or anything even close. This machine is on a
LAN and it's even very rarely logged into. Is it feasible to think
that some sort of malicious software was installed or ran on the system
and if so, how can I tell?
3) Short of reinstalling the system, how can I tell what was done and
go about fixing it? I know a reinstall would of course do it; and in
the case of this machine we've only changed one line of one file
otherwise it's a stock install.
Any help is great! Thanks!
-brian
Brian D. McGrew { brian at doubledimension.com ||
pacemakertaker at yahoo.com }
--
> YOU! Off my planet!
More information about the redhat-list
mailing list