[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Non-existent user able to log in??? hacked????

Hi Arnaud.

The first things I'd check are:

* Are the passwd, group, and shadow entries in your "/etc/nsswitch.conf"
configured correctly?

* If you have NIS installed on your machine, issue "/etc/init.d/nis
stop" and "/etc/init.d/portmap stop" commands. Then see if you can still
log in as the 'test' user. If you don't need it, consider uninstalling

* Can you change the password for user 'test' while logged in as root?

* What do your "/etc/pam.d/ssh" and "/etc/pam.d/ftpd" files look like?

Hope this helps :-)


On Tue, 2004-05-18 at 16:21, A. Loonstra wrote:
> Hi,
> Last night I found the following in my wtmp:
> test     ftpd19097     Sat May 15 10:57 - 10:57  (00:00)
> I had this test account once but removed account rightaway. So this 
> shouldn't show up in my logs anyhow. The weird thing is that syslog 
> shows something else:
> May 15 10:57:41 matilda wu-ftpd[19097]: connect from
> May 15 10:57:44 matilda wu-ftpd[19097]: FTP LOGIN REFUSED (ftp not in 
> /etc/passwd) FROM [], anonymous
> So now I tried myself to login as this test user with a very obvious 
> password. It was possible.... SSH login succeeded and ftp login as well. 
>   The ssh login seems to get mapped to another local user which does 
> have an existing account on the server. However it can't find the home 
> dir so it sets it to /
> I have nothing in /etc/passwd, /etc/shadow or anywhere else...
> a grep test on passwd* or shadow* reveals nothing. So how is it possible 
> that this test user is able to login.
> I've run the most recent version of chkrootkit (0.43) and run a linux 
> virusscanner (mcafee) as well. Both find nothing.
> Any help appreciated.
> Arnaud.

Reply to: