[clug] RE: linux Digest, Vol 24, Issue 11

[John Fletcher]

Hey guys,
This morning I got woken up by a call from web developers that couldn't
access our SUSE 9.2 box.  I tried to log in and couldn't.  Thankfully we are
running Webmin and I was able to log in and determine that the /etc/passwd
file had been reduced to the following
+::::::
or something similar; and I was able to restore the original and everything
was fine again.

Now obviously only root can do this.  What I'm wondering is whether there is
some kind of 'rogue process' explanation of such weird behaviour or has my
box been hacked by someone who thinks he's really funny?  If so is there
anything I can do now that might give me an idea of whether a malicious user
was present?  I mean I looked into the history list and also the syslog from
which I determined that it happened between 11pm and midnight (while I was
working on the box... hmmm...).  I don't know what to think...

Fletch.