Logins got loged in plain text
I found a file in /usr/games/ which was a log of all successful logins.
User name and password got loged in plain text.
Due to this plain text passwords I considered sshd to be compromised and reinstalled the system to be sure there's no backdoor left.
Did anyone of you experienced something like this?
I couldn't find out how the logfile got back to the intruder.
No suspicious entries in /etc/[passwd|group|shadow].
No cronjobs. No open ports and nothing in mail.log