Root Kit Hunter

I had a strange problem with one of my own RedHat machines the other day. Very simply, I couldn't su to root, and I couldn't even login at the console as root. I hadn't forgotten the password, but the system just wouldn't let me in. As it happened, I didn't have time to deal with the problem right that moment (obviously I didn't urgently need root access right then) so I didn't get back to this till the next day. To my surprise, I was now able to login or su as I wished. My immediate thought was "rooted!". But after a moments reflection I wondered "how?" I'm behind a firewall. I don't allow inbound traffic to ssh, telnet or anything else. I watch the blinking lights on the lan when machines are supposed to be quiet, and I disconnect the cable modem when I'm done for the day. I really doubted that this machine had been rooted.. but what the heck, might as well check. pam_tally in addition to other things. I had mistyped my password twice and locked myself out. I reset that every hour during working hours, so it had cleared itself quickly, which is why I could log in the next day. Still, it was a good thing. I had been lax and had not checked any of my systems for rootkits in quite a while. That's probably not a good idea. For example, RKHunter showed me that I had "PermitRootLogin yes" in one of my boxes sshd_config. That had been intended as a momentary convenience, but I had forgotten to take it out. SShd wasn't actually running on that box, so it really didn't matter, but I could have easily turned it on without checking the configuration. RkHunter looks for things like that and more. Add to document.write("Del.icio.us") | Yahoo! My Web A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com