Related to root login
burns
linux
Mon May 17 11:51:35 PDT 2004
On Mon, 2003-08-25 at 18:00, Swapana Ghosh wrote:
> Hi
>
> One of our server(redhad 7.1) we login as
>
> telnet domain.com
> user : admin
> pass : -
>
> su - root
> root passwd
>
> but today i found something has been changed i can't
> able
> to enter to root as su - root
>
> i am entering as sudo bash
> then again giving the admin passwd ...
>
> the /etc/pam.d/su file is as follows:
>
> #%PAM-1.0
> auth sufficient /lib/security/pam_rootok.so
> # Uncomment the following line to implicitly trust
> users in the "wheel" group.
> #auth sufficient /lib/security/pam_wheel.so
> trust use_uid
> # Uncomment the following line to require a user to be
> in the "wheel" group.
> #auth required /lib/security/pam_wheel.so
> use_uid
> auth required /lib/security/pam_stack.so
> service=system-auth
> account required /lib/security/pam_stack.so
> service=system-auth
> password required /lib/security/pam_stack.so
> service=system-auth
> session required /lib/security/pam_stack.so
> service=system-auth
> session optional /lib/security/pam_xauth.so
> ~
This looks normal. But I would be very(!) suspicious of any system where
logins, particularly root, have mysteriously changed - especially given
the way you are telnetting in the clear.
I recommend you unplug your box from the network and go through the logs
with great care, looking for any hint of something out of place. A good
cracker will try to cover his tracks, so the indicators may be very
subtle. I don't suppose you were running Tripwire?
--
burns
More information about the Linux-users
mailing list