A strangely compromised Linux box

"When I arrived on site, I found that I could not login as he had said. I rebooted to single use mode and started peeking around. The machine had been hacked; there was little doubt about that. It's HOW it was hacked that bothers me,

"First, there was no attempt to hide any evidence. I could see in wtmp and the secure logs that someone had logged in from a German ISP address, attained su status, and created a new su user for himself. He then changed root's password.

"Fine so far, right? But then he did something very strange. He hand edited /etc/passwd and added "/nologin" at the end of each line except root and his own. This was what was preventing people from logging in.

Why do that?"

Complete Story

Related Stories:

• GNU/Linux Security: Linux House vs Microsoft House(Oct 28, 2009)
• Linux and Security: Mission Impossible?(Oct 26, 2009)
• Where Are the Cybercops?(Oct 05, 2009)
• Attack on WPA refined(Aug 28, 2009)
• If Everything Was Made by Microsoft(Apr 29, 2009)
• Fedora: Chronicle of a Server Break-in(Apr 03, 2009)