Re: [cobalt-users] AdmR & AdmQ Users

[Kevin Bonner <keb@xxxxxx>]

On Wednesday 05 March 2003 20:06, Santiago Montalvan wrote:
> Kevin,
>
> I don't think that our server has been hacked because of the presence of
> AdmR & AdmQ which by the way the home directories where created back in
> July 5th 2002 (that's about when we got the Qube3).  Our Qube3 has had
> those directories ever since then and we have never had a problem yet so if
> we would have been hacked it seems that we should be experiencing problems
> but we are not.

Well, the whole process of rooting a box also means that it's not noticed.  
That's why rootkits are installed...to hide the processes and files which 
hackers install as well as a way to make it easier to get back into the 
compromised system.  However, it could have been a glitch in some Cobalt 
program, human error, shift in the planetary alignment, etc.

> I am showing you here the beginning of the passwd file...
>
> root:x:0:0:root:/root:/bin/bash
> [ snip ]
> admR:x:0:0:Qube3 Server Administrator:/home/admR:/bin/bash

These entries tell me that if you were to login as root or admR, you would 
have the same access.  I know of no security conscious individual who would 
setup a system with multiple root-level users, and if they did, they should 
be taken out and shot.

Most systems I've dealt with that have had multiple root users have been 
hacked, which is why I made my assumption in my previous email.

> I am afraid that if I delete those users something will break...

True.  Whilst changing things on a potentially rooted machine that affects the 
hacker might piss them off and make them take it out on your data, I might 
try just changing the shell for the admR and admQ users.  I believe the 
default shell for all Cobalt created users is /bin/badsh.  Just changing the 
shell should allow scripts and whatnot to run while rejecting normal 
telnet/ssh access.  If you want to be somewhat sure that the box isn't 
compromised, I would suggest running chkrootkit on the box.

Kevin