Logging Reveals Username and Password

[wbens]

Hello Forum:

I am having a problem with two linux boxes I have. They are running Centos 5.3 and Centos 5.4. The problem is that when I log in, this file /etc/host, under the etc directory get appended the username I am logging in as, the IP address I am logging in from, and worse, the password in clear text.

This is the format it uses:

username@IP (password in clear text) [Tue Jan 12 2010 13:00:26 -0500]

Is it possible for someone to tell me what is this about, and how to stop it?

[Rubberman]

What are the permissions on this file? Only root should have read access to this file. If that is the case, then I think it is functioning as designed. I assume these logins are via ssh?

[wbens]

The permissions are:

-rw-r--r-- 1 root root 527 Feb 23 14:27 /etc/host

However, notice that this file is not the /etc/hosts file. I have never seen this file in a Centos box before.

I am logging via ssh.

What do you think could be happening?

[IsThisNecessary]

The permissions are:

-rw-r--r-- 1 root root 527 Feb 23 14:27 /etc/host

However, notice that this file is not the /etc/hosts file. I have never seen this file in a Centos box before.

I am logging via ssh.

What do you think could be happening?

I don't think your password should be readable, so this could be malware of some kind. Check for login scripts, sshd_config and verify sshd.

[wbens]

This turned out to be a rootkit. I think it was a java rootkit. I had to rebuild the server from scratch. I wonder if it is possible to delete any rootkit. If anyone of you knows out there, please let me know.

Thanks.

[kurtdriver]

I wonder if it is possible to delete any rootkit. If anyone of you knows out there, please let me know.

Thanks.

Overwrite everything. Sorry for the bad news.