Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What is the version and name of Unix you are using ?
The change to /etc/passwd file is not possible unless done by root.
But there is a very good chance that the checksum changes if
1. any user is added to the system
(this need not be the sys-admin known one. Some of the applications like imap, ssh, mail
etc., creates its own login for previlidge seperation)
2. Any user's primary group changes
3. Anyone's GECOS field has changed
4. Anyone's shell has changed
Thanks for the reply - I understand that something has changed. My question - is there anyway to find out what changed? what new user has been added or what user group has been modified? etc
ANY user can change the passwd file with chsh (and probably a list of other tools). Also, if you install some software it will generate password entries (MySQL and Apache come to mind, but there are MANY more). There isn't a way to know what changed by just looking at the password file (unless you have backup copies from before the change to compare), but if you see something wierd (a non-root user at the top of the list, a non-root user with UID 0, users you don't know, etc.) then there is a problem. The log entry is your IDS telling you that something changed. If you changed something, double check the password file and create a new checksum for that file. If you didn't change anything, it doesn't mean someone broke in, it just means you need to check the file for anomalies. Think of it like your car alarm going off. Just because it goes off doesn't mean someone is trying to steal it, but it does mean you should check things out and reset the alarm when you are satisfied everything is ok.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.