[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Strange entries in /etc/passwd -- possible sec urity breach
- Subject: RE: [cobalt-users] Strange entries in /etc/passwd -- possible sec urity breach
- From: "Jolley, Carl" <Carl.Jolley@xxxxxxx>
- Date: Fri Aug 16 13:38:02 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
-----Original Message-----
From: Michael Fritsch [mailto:fritschnet@xxxxxxxxxxxxx]
Sent: Friday, August 16, 2002 1:08 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] Strange entries in /etc/passwd -- possible
security breach
> Also strange is that the consecutive uid numbers assigned for the new
users
> are quite a bit larger than the
> uid number of the last user I added. There are also entries in the
> /etc/shadow file for them but the crypted
> password strings are 34 chracters long rather than 13 like all my other
> entries. Both new passwd entries
> have gid values of 0, i.e. root's group.
>
> Any thoughts. Is this stuff legit? Can I/Should I just remove the entries
> from the passwd file and remove
> the home directories? So far there are _apparently_ no login's for either
> of these two users based on
> the contents of the last log. Based on creation dates of the files in the
> respective home directories,
> these things appear to have been created 4 days ago,
>
Ask the company you rent your server from. It is usually put there by the
hosting
company to allow them a backdoor to your server.
-------------------------
Well since they apparently were able to log in with the admin user I'm
not sure why they needed a backdoor. Anyway they now have all the backdoors
they wanted so long as they can log on and use /bin/badsh for their shell.