Re: Root password changed

Sounds like someone used a vulnerability in a service you have open and got it running. I don't know if you checked using the more advanced tools, but you might want to run the more powerful IDSes and programs that will be able to check files/binaries on a deeper level than doing an `ls -la' (as rootkits will install binaries that hide proceses, files, etc).

I'd also suggest you check other servers that have other services available. They may have gotten onto another system and compromised that server via another service not available to the outside (but of course, I know nothing of your internal network).   

My systems run tripwire, chkrootkit, and logsentry which gives me info on what is happening on my servers. I prefer verbose logging, rather than my predecessor's 'Hear no evil, see no evil' policy of sending everything to /dev/null.

Id start comparing filesizes between that and another similar system to see if you have been trojaned or cracked, or if you have been for some time.

Either way, I'd prep another server to replace that one, as I personally will not trust a server that has been trojaned or compromised in that fashion.

-- 
adamb@glaven.org
[ www.glaven.org ]

On Fri, 3 Jan 2003, RCS wrote:

> I have no idea how the root password on my FreeBSD 4.0 system was =



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com