[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Non-existent user able to log in??? hacked????


Last night I found the following in my wtmp:

test     ftpd19097     Sat May 15 10:57 - 10:57  (00:00)

I had this test account once but removed account rightaway. So this shouldn't show up in my logs anyhow. The weird thing is that syslog shows something else:

May 15 10:57:41 matilda wu-ftpd[19097]: connect from
May 15 10:57:44 matilda wu-ftpd[19097]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FROM [], anonymous

So now I tried myself to login as this test user with a very obvious password. It was possible.... SSH login succeeded and ftp login as well. The ssh login seems to get mapped to another local user which does have an existing account on the server. However it can't find the home dir so it sets it to /

I have nothing in /etc/passwd, /etc/shadow or anywhere else...
a grep test on passwd* or shadow* reveals nothing. So how is it possible that this test user is able to login.

I've run the most recent version of chkrootkit (0.43) and run a linux virusscanner (mcafee) as well. Both find nothing.

Any help appreciated.


Reply to: