I am using SuSE 9.1 on a public web-server. Every night the password encryption is changing I see that because all passwords in /etc/shadow are new. The only password which is working is the root password, but it also changed in /etc/shadow.
I don't think that there is a strange root login who is changing all, because with last|less there is nothing except my logins.
I also installed Rootkit Hunter 1.1.1, and nothing to find...
Does anybody know where passwd saves the encryption routine? I think if I change it to chmod 444 it can't be changed anymore.
Or does anybody know another solution for this horrible problem?
The bad thing is I have to set every morning all passwords again from all users on the system...