Maybe run chkrootkit (available from sourceforge.net) and check all root files, if somebody rooted your box. If all is okay, then probably you yourself rooted your box. ;o) Being paranoid is always best security. Cheers. Am Fre, 2002-05-24 um 23.01 schrieb David Correa: > > On Thu, May 23, 2002 at 09:54:06AM +0800, aeab wrote: > > usual wednesday morning here...logon to the linux server.. su - > > got prompt bash-2.05# > aeab, > > If you did not login as root and then you did su - and got a shell > > 1. type id to see your user and group id > uid=0(root) gid=0(root) << if you see this then you are root > 2. Was there a passwd for root before? Check your /var/log/messages > to see if there was a passwd change, then you can use last to see > who was logged at that time. > 3. if you have PAM, check the login and system-auth modules. if > you see lines like: > auth sufficient /lib/security/pam_unix.so likeauth nullok > password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow > then you might want to remove the argument "nullok" since it allows the > use of "blank" passwds. > 4. Check your computer for any signs of unauthorized access. > > Are you still able to repeat that same thing (log as a user and do su and > get a root shell)? Or did it just happened once? > > Regards, > > David Correa > Network Engineer http://www.linux-tech.com > Key fingerprint 7F2C E072 479D 71B4 008B 373E A284 8CDE 7659 F5D8 > ------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@linuxsecurity.com > with "unsubscribe" in the subject of the message. > ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
