[CentOS] Shadow passwords NOT md5'ed ?

Sun Apr 5 19:08:25 UTC 2009
Michael A. Peters <mpeters at mac.com>

Bill Campbell wrote:
> On Sun, Apr 05, 2009, Ralph Angenendt wrote:
>> Michael A. Peters wrote:
>>> Ralph Angenendt wrote:
>>>> Frédérique Da Luene wrote:
>>>>> Useradd newuser : ok
>>>>> passwd newuser : ok
>>>>>
>>>>> The password is not MD5, only 3DES.
>>>> Again: Have you looked if passwd on your machine is the one from CentOS?
>>>>
>>> I would suggesting copying the binary to a known clean machine to check 
>>>   the md5sum to verify. If you might have been hacked, you can't check 
>>> the md5 on that box.
>> Yupp. The last times I had to handle/help in such situations, the binaries
>> were clearly way off for the machines - often a comparing ls -l is enough, but
>> not all the time.
> 
> This will tell if the program is different and works on any RPM
> based system regardless of their package contents.
> 
> rpm -V `rpm -qf /bin/login`

This assumes that rpm and the library it uses have not been compromised.
I personally suspect the machine has been compromised.