Compromised Machine

[Brian D. McGrew]

Hello all ... I need a bit of advice here.

It would appear that one of our machines was compromised last night via 
ssh.  It turns out that one of our accounts called 'operator' didn't 
have a password on it (Hey, it's not 'my' machine) and someone came in 
via ssh.  This was made obvious when we discovered the root password 
had been changed and the 'last' showed two logins from overseas.  The 
machine was shut down immediately and they called me.

My questions are:

1)  As an unprivileged user, how can someone change the root password?  
Our operator account is the lowest privileged account on the system, 
they can't shutdown, su or do anything.  But the root password is 
changed.

2)  While bringing the machine back up, it hung while starting the 
network on device eth0 with the error that said "Error loading module 
ppp.o'.  We don't use ppp or anything even close.  This machine is on a 
LAN and it's even very rarely logged into.  Is it feasible to think 
that some sort of malicious software was installed or ran on the system 
and if so, how can I tell?

3)  Short of reinstalling the system, how can I tell what was done and 
go about fixing it?  I know a reinstall would of course do it; and in 
the case of this machine we've only changed one line of one file 
otherwise it's a stock install.

Any help is great!  Thanks!

-brian

Brian D. McGrew		{ brian at doubledimension.com || 
pacemakertaker at yahoo.com }
--
 > YOU!  Off my planet!