On Thu, Feb 5, 2015 at 4:39 PM, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
Yes, /etc/shadow would have always been readable only by root by default. The interesting question here is whether an intruder did it, clumsily leaving evidence behind, or whether it is just a local change from following some bad advice about things that need to be changed - or running some script to make those changes. The latter seems more likely to me.
Be it me, I would consider box compromised. All done on/from that box since probable day it happened compromised as well. If there is no way to establish the day, then since that system originally build. With full blown sweeping up the consequences. Finding really-really-really convincing proof it is not a result of compromise (and yes, fight one's wishful thinking!).
You aren't being paranoid enough. If it happened as a result of following some instructions or running a script, it's not just the box that is compromised, it is everything you think you know. On the other hand it could have just been an accidental typo.