On Wed, Feb 16, 2011 at 7:43 AM, James Bensley <jwbensley@xxxxxxxxx> wrote: > On 16 Feb 2011 12:34, "Nico Kadel-Garcia" <nkadel@xxxxxxxxx> wrote: >> >> Uh-oh. Has your developer, or you, been editing the /etc/passwd, >> /etc/shadow, /etc/group, or /etc/gshadow files manually? > > Nope. > >> And do you >> use NIS or LDAP for authentication? > > Nope. > >> And this is a publicly exposed >> webserver, right? How fast can you rebuild it if it's been rootkitted? > > How long is a peice of string? As quick as I can reupload the data, but > thats another issue for another day. > >> Check the /etc/shadow and /etc/group for consistent numbers of >> entries, and /etc/group and /etc/gshadow. > > Do you mean duplicate entries? If so there are none of those. No, I mean the sam enumber of entries. wc /etc/shadow /etc/passwd cut -f1 -d: /etc/shasow /etc/passwd | sort | uniq -c And actually go line by line down these files, checking for matching usernames, correct layout of ':' separated entries, correct numbers of entries, and blank lines. I've seen serous problems where one or ther other of these files were corrupted by something, especially badly written installer scripts that only edited /etc/passwd directly and ignored /etc/shadow, or which mishandled "$" entries in newly created encrypted passwords. >> Do you have other users who >> can still log in or not? > > There is only the root and web dev user on this box. > > Thanks for your input Nico :) > > --James. (This email was sent from a mobile device) Are you *sure*? Can you back this thing up for review and rebuilding? It might be safest to image it for analysis and simply rebuild it. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos