[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Strange entries in /etc/passwd -- possible sec urity breach

Subject: RE: [cobalt-users] Strange entries in /etc/passwd -- possible sec urity breach
From: "Jolley, Carl" <Carl.Jolley@xxxxxxx>
Date: Fri Aug 16 13:30:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

-----Original Message-----
From: Peter Masloch 
Sent: Friday, August 16, 2002 12:54 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] Strange entries in /etc/passwd -- possible
security breach




> -----Original Message-----
> From: cobalt-users-admin@xxxxxxxxxxxxxxx 
> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx] On Behalf Of Jolley, Carl
> Sent: Friday, August 16, 2002 11:04 AM
> To: 'cobalt-users@xxxxxxxxxxxxxxx'
> Subject: [cobalt-users] Strange entries in /etc/passwd -- 
> possible security breach
> 
> 
> I recently took a look at my /etc/passwd file and found a 
> couple of entries
> append to the end of the file 
> that I did not know about. They haven't always been there The 
> usernames are
> sauser and saroot the
> home directory tnetires are /home/sauser and /home/saroot. 
> The content of
> the files in those directories
> appear to be the Cobalt default stuff used when a new virtual host is
> created. For example one of the
> files is /home/sauser/user/en_US/web/index.html and the 
> content of that file
> makes reference to the Raq3.
> 
> Also strange is that the consecutive uid numbers assigned for 
> the new users
> are quite a bit larger than the
> uid number of the last user I added. There are also entries in the
> /etc/shadow file for them but the crypted
> password strings are 34 chracters long rather than 13 like 
> all my other
> entries. Both new passwd entries
> have gid values of 0, i.e. root's group.
> 
> Any thoughts. Is this stuff legit? Can I/Should I just remove 
> the entries
> from the passwd file and remove
> the home directories? So far  there are _apparently_ no 
> login's for either
> of these two users based on
> the contents of the last log. Based on creation dates of the 
> files in the
> respective home directories,
> these things appear to have been created 4 days ago,
> 

Did you install any software lateley? What software are you running?
Database or any other aditional software? Any Java compiler?
--------------------
No. Nothing special, fully patched up Raq3. No. No. 

Looking at my /var/log/secure there was a login via DIALUP to
ttyS0 by admin at about the time the files in the home directories
were created. I was not aware that my Raq even had anything related
to dialup on it. I suspect this is something that my co-loc vendor
did without telling me. I got an e-mail the next day asying that they
had to change my admin and root passwords. I had reported a problem on
the day the files were created but it was about 3 hour earlier and for
a different Raq.

Prev by Date: RE: [cobalt-users] OT Hosting company scanning my Cobalt
Next by Date: RE: [cobalt-users] Strange entries in /etc/passwd -- possible sec urity breach
Previous by thread: RE: [cobalt-users] webalizer-stats available to all site users?
Next by thread: RE: [cobalt-users] Strange entries in /etc/passwd -- possible sec urity breach

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index