Re: Non-existent user able to log in??? hacked????
The first things I'd check are:
* Are the passwd, group, and shadow entries in your "/etc/nsswitch.conf"
* If you have NIS installed on your machine, issue "/etc/init.d/nis
stop" and "/etc/init.d/portmap stop" commands. Then see if you can still
log in as the 'test' user. If you don't need it, consider uninstalling
* Can you change the password for user 'test' while logged in as root?
* What do your "/etc/pam.d/ssh" and "/etc/pam.d/ftpd" files look like?
Hope this helps :-)
On Tue, 2004-05-18 at 16:21, A. Loonstra wrote:
> Last night I found the following in my wtmp:
> test ftpd19097 126.96.36.199 Sat May 15 10:57 - 10:57 (00:00)
> I had this test account once but removed account rightaway. So this
> shouldn't show up in my logs anyhow. The weird thing is that syslog
> shows something else:
> May 15 10:57:41 matilda wu-ftpd: connect from 188.8.131.52
> May 15 10:57:44 matilda wu-ftpd: FTP LOGIN REFUSED (ftp not in
> /etc/passwd) FROM 184.108.40.206 [220.127.116.11], anonymous
> So now I tried myself to login as this test user with a very obvious
> password. It was possible.... SSH login succeeded and ftp login as well.
> The ssh login seems to get mapped to another local user which does
> have an existing account on the server. However it can't find the home
> dir so it sets it to /
> I have nothing in /etc/passwd, /etc/shadow or anywhere else...
> a grep test on passwd* or shadow* reveals nothing. So how is it possible
> that this test user is able to login.
> I've run the most recent version of chkrootkit (0.43) and run a linux
> virusscanner (mcafee) as well. Both find nothing.
> Any help appreciated.