A strangely compromised Linux box
Nov 06, 2009, 12:43 (1 Talkback[s])
"When I arrived on site, I found that I could not login as he
had said. I rebooted to single use mode and started peeking around.
The machine had been hacked; there was little doubt about that.
It's HOW it was hacked that bothers me,
"First, there was no attempt to hide any evidence. I could see
in wtmp and the secure logs that someone had logged in from a
German ISP address, attained su status, and created a new su user
for himself. He then changed root's password.
"Fine so far, right? But then he did something very strange. He
hand edited /etc/passwd and added "/nologin" at the end of each
line except root and his own. This was what was preventing people
from logging in.
Why do that?"