Comment # 4 on bug 1043536 from Stakanov Schufter

Well the problem is: this was a totally standard install. And the thing
happened yesterday: system did not accept the password input anymore. After a
reboot the mess. 
So, what logfiles from yesterday should I provide to look into it? 
X-errors? 
journal? 

If the system is compromised by this (which is obvious) I will do a total new
install. Maybe the best is to use a virtual machine every time I am on the web
and throw the image away once done. Normally I am using a hardware solution,
but currently it is physically broken so I need to buy a new one. Then
passwordless export of kgpg is not a problem as the key cannot be exported from
the token. 

Sincerely I think for the sake of safety and usability, it would be good to
understand what is happening here. 

There is one anomalous warning in rkhunter:
mercurio (the new post account) is 1001
olpost (the renamed old post account is 1004

In rkhunter there is the following warning:
Warning: Changes found in the passwd file for user 'scard':
Warning: Changes found in the passwd file for user 'mercurio':
         The UID has changed from '1001' to '1004'
Warning: User 'oldpost' has been added to the passwd file.
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
         The default value may be 'yes', to allow root access.
Warning: The SSH configuration option 'Protocol' has not been set.
         The default value may be '2,1', to allow the use of protocol version
1.
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text

This is strange because mercurio cannot change to 1004 as it is an old and
invalid account. 

See also: 

cat /etc/passwd | grep "/home" 
connectix:x:1000:100::/home/connectix:/bin/bash
entropia:x:1002:100::/home/entropia:/bin/bash
hanyu:x:1003:100::/home/hanyu:/bin/bash
mercurio:x:1001:100::/home/mercurio:/bin/bash
oldpost:x:1004:100::/home/oldpost:/bin/bash


lastlog does not show anything strange.