RE: [cobalt-users] Strange entries in /etc/passwd -- possible security breach

["Peter Masloch" <peter@xxxxxxxxxxx>]

> -----Original Message-----
> From: cobalt-users-admin@xxxxxxxxxxxxxxx 
> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx] On Behalf Of Jolley, Carl
> Sent: Friday, August 16, 2002 11:04 AM
> To: 'cobalt-users@xxxxxxxxxxxxxxx'
> Subject: [cobalt-users] Strange entries in /etc/passwd -- 
> possible security breach
> 
> 
> I recently took a look at my /etc/passwd file and found a 
> couple of entries
> append to the end of the file 
> that I did not know about. They haven't always been there The 
> usernames are
> sauser and saroot the
> home directory tnetires are /home/sauser and /home/saroot. 
> The content of
> the files in those directories
> appear to be the Cobalt default stuff used when a new virtual host is
> created. For example one of the
> files is /home/sauser/user/en_US/web/index.html and the 
> content of that file
> makes reference to the Raq3.
> 
> Also strange is that the consecutive uid numbers assigned for 
> the new users
> are quite a bit larger than the
> uid number of the last user I added. There are also entries in the
> /etc/shadow file for them but the crypted
> password strings are 34 chracters long rather than 13 like 
> all my other
> entries. Both new passwd entries
> have gid values of 0, i.e. root's group.
> 
> Any thoughts. Is this stuff legit? Can I/Should I just remove 
> the entries
> from the passwd file and remove
> the home directories? So far  there are _apparently_ no 
> login's for either
> of these two users based on
> the contents of the last log. Based on creation dates of the 
> files in the
> respective home directories,
> these things appear to have been created 4 days ago,
> 

Did you install any software lateley? What software are you running?
Database or any other aditional software? Any Java compiler?