What a great resource. And fast, too. Much faster than me in fact.
But here is my summary, late though it is.
I have a wizard-wannabe on my network who fancies himself quite the
expert when it comes to circumventing obstacles such as firewalls, etc.
Recently, at his own suggestion as senior analyst of his group, his and
his group's root access was removed.
Shortly afterwards I found evidence suggesting, though not proving that
he had acquired root again. (Some unknown person had remote logged in
as root from his machine).
I changed the passwd again and the following morning saw several
unsuccessful su attempts from his machine.
Now one of his workstations is behaving oddly. Refusing all rlogin
attempts from apparently all users including root, and from all other
hosts. It responds:
login: setgid: Not owner
Most recognized the file corruption straight away, but followed the line
of thought that I started, and assumed the corruption was malicious.
The more humble responses related their own experiences with I/O
(incompetent operator) problems and hit the nail on the head. The
actual cause of the immediate problem was my own mistake in using the
find command. The irony is that the syntax was provided by my suspect. But I tested the individual parts of the command first,so that sort of
absolves him. At any rate, I intended to chown all of one user's files.
I did indeed chown those files as well as all others on the machine.
Stupid computer should have known that wasn't what I meant!
As I still have the unexplained login attempts, my suspect is still
suspect and I will be incoprorating your suggestions.
Thanks for hints and/or sympathy:
email@example.com (I agree with your <Grumble>. I don't add the
Reply-To... Some nameserver along the way does that. I know it
is incorrect hence, my routine inclusion of my email addr in my
signature. Now if I ran that function...)
Thanks especially for additional hints and tools to try out:
Regards to all,
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:22 CDT