Hello all ... I need a bit of advice here.
It would appear that one of our machines was compromised last night via ssh. It turns out that one of our accounts called 'operator' didn't have a password on it (Hey, it's not 'my' machine) and someone came in via ssh. This was made obvious when we discovered the root password had been changed and the 'last' showed two logins from overseas. The machine was shut down immediately and they called me.
My questions are:
1) As an unprivileged user, how can someone change the root password? Our operator account is the lowest privileged account on the system, they can't shutdown, su or do anything. But the root password is changed.
2) While bringing the machine back up, it hung while starting the network on device eth0 with the error that said "Error loading module ppp.o'. We don't use ppp or anything even close. This machine is on a LAN and it's even very rarely logged into. Is it feasible to think that some sort of malicious software was installed or ran on the system and if so, how can I tell?
3) Short of reinstalling the system, how can I tell what was done and go about fixing it? I know a reinstall would of course do it; and in the case of this machine we've only changed one line of one file otherwise it's a stock install.
Any help is great! Thanks!
-brian
Brian D. McGrew { brian@xxxxxxxxxxxxxxxxxxx || pacemakertaker@xxxxxxxxx }
--
> YOU! Off my planet!
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
