Debian - Secure system from current administrator
Solution 1:
This reply is primarily to espouse the benefits of properly maintaining access within your IT department.
Your situation examples the benefit of an audit trail and proper access control. For example, all access would require an access request ticket with approval, without exception. Upon termination, you audit the ticket system.
For common roles within your company, the access can be standardized and even easier to eliminate.
For IT roles, we have a spreadsheet that we work out of for terminations. It lists everything to prevent oversight. We also audit our access request tickets and our work logging system, as all production changes are documented there.
Administrators should also have individual user accounts, which they use to access administrative privileges. root and administrative accounts should not be authenticated to directly. While this is not technically infallible, it enables an audit trail as well as individual accountability. With this, locking all his accounts would be a first step and then you change all admin accounts.
If you have not already, I would encourage you to implement some of these solutions if not all of them. I consider them integral and it reduces risk when an involuntary termination occurs.
First, remove all external facing access. Any access the person could use without being on premise. Then, change all passwords. Every administrator password, every system password, every application password, every vendor account password, every support account password-- everything. If the risk for retaliation is great, you might expire all employees' passwords as well.
Since you do not have the root passwords to the Linux servers, you can boot in single user mode and change it. With GRUB and LILO, you would simply append single
. The methods are similar.
As others have recommended, audit all crontabs (located in /var/spool/cron), system users, running daemons, ssh keypairs, and the systems in general.
While rebuilding is the only way to be certain, it should not be necessary in most cases. Any respectful professional would not risk their career on such a guttural reaction. It would also enable pursuit of both criminal and civil damages by your employer. Ultimately, I would suggest having a serious discussion regarding the risks with your manager after performing due diligence with removal.
Solution 2:
You can restart the Debian systems in single user mode and change the password for the root account, but you'll also have to make sure that there aren't other users with SSH access that the sysadmin has access to.
Any FTP passwords or MySQL passwords should be changed as well. You can also start checking the services and cron jobs, and make sure every program that's running is supposed to run.
The safest and fastest route would be backing up your data and reinstalling the servers, though it depends if you can accept the downtime this creates.