Something simple you may want to look for is files owned by root with the "su" bit set:
Code:
su -
<root password>
find / -type f -owner root -perm -4000
There are a bunch of those that
should be owned by root with the
su bit set (
/etc/passwd is one of them); however, there should be
no user files with root ownership and the
su bit set (what the
su bit does is allow anyone to execute as-if they are root or some other account).
You might want to use the above command with a redirection into a file for review; e.g.,
Code:
find / -type f -owner root -perm -4000 > /tmp/subits.txt
or something similar to that. The list should look like this (yours may vary, depending upon what you have installed):
Code:
find / -type f -user root -perm -4000
/bin/fusermount
/bin/umount
/bin/su
/bin/ping6
/bin/ping
/bin/ntfs-3g
/bin/mount
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/kppp
/usr/bin/chsh
/usr/bin/traceroute6
/usr/bin/fdmount
/usr/bin/Xorg
/usr/bin/rsh
/usr/bin/crontab
/usr/bin/passwd
/usr/bin/rcp
/usr/bin/pkexec
/usr/bin/expiry
/usr/bin/chfn
/usr/bin/chage
/usr/bin/sudo
/usr/bin/rlogin
/usr/bin/newgrp
/usr/bin/cgexec
/usr/lib64/kde4/libexec/start_kdeinit
/usr/lib64/kde4/libexec/kcheckpass
/usr/lib64/kde4/libexec/fileshareset
/usr/libexec/pt_chown
/usr/libexec/ssh-keysign
/usr/libexec/polkit-agent-helper-1
/usr/libexec/dbus-daemon-launch-helper
Note there they're all in system directories (that doesn't mean that someone has not compromised a system directory, though). If you find one or more files in the
/home or
/usr/local tree, those are the ones you really want to look it.
It's normal for the above list of files to look like this:
Code:
ls -l /usr/bin/rcp
-rws--x--x 1 root root 17976 Sep 23 2008 /usr/bin/rcp*
That "s" in the pattern
rws is the giveaway that the "su" bit is enabled. There should be none of those anywhere in "user land." For that matter, there should not be any executable files owned by an administrative user account in "user land." If you find any, start asking questions and get ready to clamp down hard on them.
If you find one (or two) in "user land," it would probably be a Real Good Idea to move them to a protected directory where you can analyze them and identify who is using them for what and them get them off your system altogether. You do not want to mess with system files (such as those above), but you do want to eliminate any "su" bit files you may find outside of those. You may wind up needing to compare distribution files against your installed system files in case one or more of them have been compromised; looking at the file date stamps, for example, may be useful:
Code:
find / -type f -user root -perm -4000 -exec ls -l {} \;
will show you that.
Hope this helps some.