On 16 Feb 2011 12:34, "Nico Kadel-Garcia" nkadel@gmail.com wrote:
Uh-oh. Has your developer, or you, been editing the /etc/passwd, /etc/shadow, /etc/group, or /etc/gshadow files manually?
Nope.
And do you use NIS or LDAP for authentication?
Nope.
And this is a publicly exposed webserver, right? How fast can you rebuild it if it's been rootkitted?
How long is a peice of string? As quick as I can reupload the data, but thats another issue for another day.
Check the /etc/shadow and /etc/group for consistent numbers of entries, and /etc/group and /etc/gshadow.
Do you mean duplicate entries? If so there are none of those.
Do you have other users who can still log in or not?
There is only the root and web dev user on this box.
Thanks for your input Nico :)
--James. (This email was sent from a mobile device)