[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] AdmR & AdmQ Users
- Subject: [cobalt-users] AdmR & AdmQ Users
- From: "Santiago Montalvan" <smontalvan@xxxxxxxxxxxxxxxxx>
- Date: Wed Mar 5 17:09:01 2003
- Organization: montalvanware.com
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Kevin,
I don't think that our server has been hacked because of the presence of
AdmR & AdmQ which by the way the home directories where created back in July
5th 2002 (that's about when we got the Qube3). Our Qube3 has had those
directories ever since then and we have never had a problem yet so if we
would have been hacked it seems that we should be experiencing problems but
we are not. I was just courious to see if anybody else has those users...
Any other ideas?
I am showing you here the beginning of the passwd file...
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
httpd:x:15:11:httpd:/home/httpd:
nobody:x:99:99:Nobody:/:
pop:x:17:17:APOP:/etc:
postgres:x:100:101:PostgreSQL Server:/home/pgsql:/bin/bash
mysql:x:101:102:MySQL server:/var/lib/mysql:/bin/bash
squid:x:102:103:Squid Cache:/home/squid2:
admin:x:500:100:Qube3 Server Administrator:/home/users/admin:/bin/bash
admR:x:0:0:Qube3 Server Administrator:/home/admR:/bin/bash
admQ:x:583:583:Qube3 Server Administrator:/home/admQ:/bin/bash
named:x:25:25:Named:/etc/named:/bin/false
guest-share:x:501:28:guest share user:/home/groups/guest-share:/bin/badsh
I am afraid that if I delete those users something will break...
Thanks,
Santiago.
On Wednesday 05 March 2003 16:08, Santiago Montalvan wrote:
> I show the following users:
>
> admR:x:0:0:Qube3 Server Administrator:/home/admR:/bin/bash
> admQ:x:583:583:Qube3 Server Administrator:/home/admQ:/bin/bash
>
> admQ:x:583:583::/home/admQ:/bin/bash
> admR:x:584:584::/home/admR:/bin/bash
>
> Is this normal? We have a Qube3 Pro at work.
This isn't normal. The 0:0 means that user has root-level access, or
Administrator access (for all you windows folk). An entry like the one
above
usually means your box was rooted, or hacked. There could be any number of
ways a hacker could gain root, but the (usually) hard part is discovering
what the hacker has done to your system. I would run chkrootkit to see if
there are any of those lovely rootkit nightmares installed on your box...my
guess is yes, but finding out which rootkit is the fun part, fixing it is
the
PITA part.
Another step would be to make sure that the system has applied all of the
patches released. Note that patching the system won't fix the things a
hacker has done, it just repairs the hole which was exploited. To fix the
things modified by a hacker, I would suggest searching through the system to
try and find what files were modified, then repairing those files OR
replacing the Qube3 Pro. Recently, I have done the latter, but the box I
was
replacing was a RaQ4. Basically I obtained the new raq4, patched it,
configured it, copied the data over using CMU, then pulled the old and
dropped in the new.
Good luck with whatever action you choose to do,
Kevin
______________________________
Santiago Montalvan
Information Systems Consultant
montalvanware.com
smontalvan@xxxxxxxxxxxxxxxxx
503-341-7159