Fountain and plaques at a Buddhist temple.

Answer #7 — CompTIA Security+ Guidance

Answer #7

LAST WEEK:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

TODAY:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		7c6fa9266a5abfa03d685ea7f7164393c984b710
/etc/shadow:		9a4fb74ef00824d6e84785ad53d6fed364947778
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842 

You are examining records from a busy server that is critical to your organization's financial well-being. What should you report to management?

A: Everything seems to be fine.
B: A user is violating the AUP.
C: An intruder has gained administrative access and changed the system configuration.
D: An intruder has gained administrative access and replaced operating system components, and we can no longer trust the operating system itself or any programs installed there.

Both /etc/shadow and /etc/passwd changed. You probably added a new user, adding one new line to each file. Or maybe you modified a user (changing passwd) and coincidentally someone changed their password (changing shadow). Again, no worry.

It's possible that someone gained administrative access and they created the new user. But A is by far the most likely explanation.