Re: Non-existent user able to log in??? hacked????

To: "A. Loonstra" <arnaud@sphaero.org>
Cc: Jeremy Melanson <jmelanson@systemhalted.com>, debian-security@lists.debian.org
Subject: Re: Non-existent user able to log in??? hacked????
From: Steven James <pyro@linuxlabs.com>
Date: Wed, 19 May 2004 00:19:14 +0000 (UTC)
Message-id: <[🔎] Pine.LNX.4.58.0405190015550.26413@ucontrol.mobiledns.com>
In-reply-to: <[🔎] 40AA92CC.6070904@sphaero.org>
References: <[🔎] 40AA7042.6000504@sphaero.org> <[🔎] 1084917627.5460.62.camel@boswjmela1l1> <[🔎] 40AA92CC.6070904@sphaero.org>

Greetings,

It's been a long time, but IIRC, the NIS uses it's own dbm files which are
built from those in /etc. The test account must have existed when you set
it up.

G'day,
sjames

-------------------------steven james, director of research, linux labs
... ........ ..... ....                    230 peachtree st nw ste 2701
the original linux labs                             atlanta.ga.us 30303
      -since 1995                              http://www.linuxlabs.com
                                              office & fax 866.545.6306
-----------------------------------------------------------------------


On Wed, 19 May 2004, A. Loonstra wrote:

> Jeremy Melanson wrote:
>
> > Hi Arnaud.
> >
> > The first things I'd check are:
> >
> > * Are the passwd, group, and shadow entries in your "/etc/nsswitch.conf"
> > configured correctly?
> >
> > * If you have NIS installed on your machine, issue "/etc/init.d/nis
> > stop" and "/etc/init.d/portmap stop" commands. Then see if you can still
> > log in as the 'test' user. If you don't need it, consider uninstalling
> > NIS.
> >
> > * Can you change the password for user 'test' while logged in as root?
> >
> > * What do your "/etc/pam.d/ssh" and "/etc/pam.d/ftpd" files look like?
> >
> > Hope this helps :-)
> >
> > -----
> > Jeremy
> >
>
> Yep, that helped bigtime... I've shutdown NIS and I'm not able to login
> as test anymore.
>
> When I start NIS again I am able to logon as test.
> ypcat passwd reveals the existance of the test account and also explains
> why it is mapped against the particular local existent user. ypcat
> shadow.byname also reveals the password for test.
>
> Question remains why NIS is doing this, or what I am doing wrong. I did
> setup this server the serve some linux workstations as a test. I guess I
> underestimated NIS thinking it would just use shadow and passwd from /etc.
>
> this is my nsswitch:
> passwd:         compat
> group:          compat
> shadow:         compat
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
> Arnaud.
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

Follow-Ups:
- Re: Non-existent user able to log in??? hacked????
  - From: elijah wright <elw@stderr.org>

References:
- Non-existent user able to log in??? hacked????
  - From: "A. Loonstra" <arnaud@sphaero.org>
- Re: Non-existent user able to log in??? hacked????
  - From: Jeremy Melanson <jmelanson@systemhalted.com>
- Re: Non-existent user able to log in??? hacked????
  - From: "A. Loonstra" <arnaud@sphaero.org>

Prev by Date: Re: Non-existent user able to log in??? hacked????
Next by Date: Re: Non-existent user able to log in??? hacked????
Previous by thread: Re: Non-existent user able to log in??? hacked????
Next by thread: Re: Non-existent user able to log in??? hacked????
Index(es):
- Date
- Thread