Non-existent user able to log in??? hacked????

To: debian-security@lists.debian.org
Subject: Non-existent user able to log in??? hacked????
From: "A. Loonstra" <arnaud@sphaero.org>
Date: Tue, 18 May 2004 22:21:22 +0200
Message-id: <[🔎] 40AA7042.6000504@sphaero.org>
Reply-to: debsec@sphaero.org

Hi,

Last night I found the following in my wtmp:

test     ftpd19097    141.222.42.5     Sat May 15 10:57 - 10:57  (00:00)

I had this test account once but removed account rightaway. So thisshouldn't show up in my logs anyhow. The weird thing is that syslogshows something else:


May 15 10:57:41 matilda wu-ftpd[19097]: connect from 141.222.42.5

May 15 10:57:44 matilda wu-ftpd[19097]: FTP LOGIN REFUSED (ftp not in/etc/passwd) FROM 141.222.42.5 [141.222.42.5], anonymous

So now I tried myself to login as this test user with a very obviouspassword. It was possible.... SSH login succeeded and ftp login as well.The ssh login seems to get mapped to another local user which doeshave an existing account on the server. However it can't find the homedir so it sets it to /


I have nothing in /etc/passwd, /etc/shadow or anywhere else...

a grep test on passwd* or shadow* reveals nothing. So how is it possiblethat this test user is able to login.

I've run the most recent version of chkrootkit (0.43) and run a linuxvirusscanner (mcafee) as well. Both find nothing.


Any help appreciated.

Arnaud.

Reply to:

Follow-Ups:
- Re: Non-existent user able to log in??? hacked????
  - From: Jeremy Melanson <jmelanson@systemhalted.com>
- Re: Non-existent user able to log in??? hacked????
  - From: Richard Atterer <richard@list04.atterer.net>

Prev by Date: proftpd affected by recent security hole (2004/05/12) ?
Next by Date: Sorry to announce that we are closing
Previous by thread: proftpd affected by recent security hole (2004/05/12) ?
Next by thread: Re: Non-existent user able to log in??? hacked????
Index(es):
- Date
- Thread