Hi Guys,
I had one of my Redhat linux 6.2 box which was configured with live ip address. For experimental purpose, we did disable all services like ftp/telnet/finger etc with host.allow and host.deny allowing only one machine from our internal network to access this using ssh. The only service which was enabled was http on the external interface.There is no other services like ftp/lpd/nfs/ running on it. All the users/groups like games/shutdown/operator etc have been deleted. We have changed the permission using chattr for inet/ init conf files too.
The box did NOT run any firewall etc. The next day what we found was, it would NOT allow us to login at all. At the login prompt , when one tried to login as any user or even "su" it would just jump back to login prompt. We rebooted the machine with single user mode and found that no passwd /shadow files were tampered with.
Could i get some hint as to which are the likely files which i could look into which could cause this problem. This would help us further in the penetration test which we are conducting.
Thanks and Regards
Jaishankar