<p>Step 1 boot from a known clean CD and use the tools on it to clean up the mess. At this point nothing on the compromised system is reliable.<br>
Step 2 back off the data and configuration files.<br>
Step 3 reinstall the OS. Do all security updates<br>
Step 4 manually inspect ALL config files before reloading them</p>
<p>Step 5 verify all data files are NOT executable and especially NOT SUID ROOT. Restore data files</p>
<p>Step 6 flog the sysadmin</p>
<p><blockquote type="cite">On Jan 5, 2010 5:51 PM, "Atlanta Geek" <<a href="mailto:atlantageek@gmail.com">atlantageek@gmail.com</a>> wrote:<br><br>A machine that I was not in charge of seems to have been broken into<br>
over the weekend.<br>
I am trying to help the sysadmin. However there seems to be some<br>
weird things going on when I try to lock the system down.<br>
<br>
1. found that /var/log/secure was a directory and not a file.<br>
2. when as root I type passwd I found that passwd command was missing.<br>
3. copied passwd from another server. When trying to set password we<br>
get the following:<br>
<br>
[root@localhost etc]# passwd<br>
Changing password for user root.<br>
New UNIX password:<br>
Retype new UNIX password:<br>
passwd: Authentication token manipulation error<br>
<br>
<br>
Here are some details about shadow and passwd files<br>
<br>
[root@localhost etc]# lsattr /etc/passwd<br>
----i-------- /etc/passwd<br>
[root@localhost etc]# ls -altr passwd<br>
-rw-r--r-- 1 root root 1616 Feb 28 2009 passwd<br>
[root@localhost etc]# ls -altr shadow<br>
-r-------- 1 root root 954 Oct 1 08:42 shadow<br>
[root@localhost etc]# lsattr passwd<br>
----i-------- passwd<br>
[root@localhost etc]# lsattr shadow<br>
----i-------- shadow<br>
<br>
<br>
<br>
Any assistance would be appreciated.<br>
<font color="#888888"><br>
--<br>
<a href="http://www.atlantageek.com" target="_blank">http://www.atlantageek.com</a><br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</font></blockquote></p>