On Thu, Feb 5, 2015 at 4:39 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: > >> >> Yes, /etc/shadow would have always been readable only by root by >> default. The interesting question here is whether an intruder did >> it, clumsily leaving evidence behind, or whether it is just a local >> change from following some bad advice about things that need to be >> changed - or running some script to make those changes. The latter >> seems more likely to me. >> > > Be it me, I would consider box compromised. All done on/from that box > since probable day it happened compromised as well. If there is no way to > establish the day, then since that system originally build. With full > blown sweeping up the consequences. Finding really-really-really > convincing proof it is not a result of compromise (and yes, fight one's > wishful thinking!). You aren't being paranoid enough. If it happened as a result of following some instructions or running a script, it's not just the box that is compromised, it is everything you think you know. On the other hand it could have just been an accidental typo. -- Les Mikesell lesmikesell at gmail.com