Try looking at your /etc/inittab file. It's likely some wise-arse thought it would be funny to change your default runlevel to 6, thinking that it would be amusing to watch you struggle helplessly as your machine reboots over and over. Fortunately for you, that person also doesn't know how to read the man pages or they would realize that if init detects that it has rebooted 10 times in 2 minutes, then it will stop rebooting and give an error (man init if you want specifics).
So check /etc/inittab and look to see if the line:
id:3:initdefault:
has been editted to:
id:6:initdefault:
All those shenanigans aside, whoever changed that setting had to be root. So you need to be aware that more changes may have been made including new users with a UID of 0, rootkits installed, etc. There are plenty of threads, including the one at the top of the forum on doing forensic analysis of compromised machine.
As far as keeping it from happening again, tell the people in class to get their own machines from now on (see how funny they think that is). If that's not an option, you might want to look at chrooting users into their home directories.
Last edited by Capt_Caveman; 10-13-2003 at 07:36 PM.
|