On 16 Feb 2011 12:34, "Nico Kadel-Garcia" <nkadel at gmail.com> wrote: > > Uh-oh. Has your developer, or you, been editing the /etc/passwd, > /etc/shadow, /etc/group, or /etc/gshadow files manually? Nope. > And do you > use NIS or LDAP for authentication? Nope. > And this is a publicly exposed > webserver, right? How fast can you rebuild it if it's been rootkitted? How long is a peice of string? As quick as I can reupload the data, but thats another issue for another day. > Check the /etc/shadow and /etc/group for consistent numbers of > entries, and /etc/group and /etc/gshadow. Do you mean duplicate entries? If so there are none of those. > Do you have other users who > can still log in or not? There is only the root and web dev user on this box. Thanks for your input Nico :) --James. (This email was sent from a mobile device) -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20110216/64172e9e/attachment-0005.html>