Is there any possible way for passwords to suddenly change on a linux box, beyond being hacked? I just had to chroot in to access my own machine, which is somewhat disconcerting. My box is open the the world via SSH, but it disables root login, so I thought I was sort of in the clear. I took a look at my authlog, but I'm not seeing anything suspicious, beyond all the attempts to access root via SSH that normally hit a box that's open. I'm really confused, because I don't see much value in changing someone's passwords, without doing anything else, as all this does is alert the person that their machine is probably compromised.
I'm in the process of changing all SSH keys, and doing a scan with ClamAV (though I understand that's more for infected executables/windows-style stuff). Are there any other tools to help me determine if my box was compromised? Should I just do a full format?
[link][5 comments]