Has my hosting provider been compromised?

[variant]

Hi,

My virtual server hosted by a large and well known hosting company is behaving very oddly, even after re-imaging.

Symptom:

When logged in as a normal user I can "su" or "su -" to root with both the root password or the normal users password, note that sudo is not installed.

I can ssh to the machine as root@hostname with either the user accounts password or the root password.

I created a second user "testuser" and set the password to "test". This new user has no priviledges other than being a member of the "users" group, not wheel or admin or anything. I can ssh to the server with testuser@hostname and the password "test", as it is not in the wheel group it should be impossible to su - to root, and when attempting that it actually does fail if I enter the "test" password but it STILL WORKS if I use the root password OR the other users password.

Another oddity is the output from the "passwd" command:

$ passwd
Changing password for user USERNAME.
Changing password for USERNAME

Note the extra line in the output.

I have since re-imaged the machine with the same image (provided by my hosting provider) and the issue remains. They are investigating it and have so far been able to confirm only that I am correct in that there is something wrong.

What can the problem be other than that the image has been compromised? If this is true then potentially thousands of their other customers are at risk.

Your advice is welcome!

/variant

[variant]

Problem solved! Apparently the image was wrongly configured so that it ignores everything past 8 characters:

/etc/pam.d/system-auth