On Thu, Feb 5, 2015 at 4:39 PM, Valeri Galtsev
<galtsev@xxxxxxxxxxxxxxxxx> wrote:
>
>>
>> Yes, /etc/shadow would have always been readable only by root by
>> default. The interesting question here is whether an intruder did
>> it, clumsily leaving evidence behind, or whether it is just a local
>> change from following some bad advice about things that need to be
>> changed - or running some script to make those changes. The latter
>> seems more likely to me.
>>
>
> Be it me, I would consider box compromised. All done on/from that box
> since probable day it happened compromised as well. If there is no way to
> establish the day, then since that system originally build. With full
> blown sweeping up the consequences. Finding really-really-really
> convincing proof it is not a result of compromise (and yes, fight one's
> wishful thinking!).
You aren't being paranoid enough. If it happened as a result of
following some instructions or running a script, it's not just the box
that is compromised, it is everything you think you know. On the
other hand it could have just been an accidental typo.
--
Les Mikesell
lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
