Re: Non-existent user able to log in??? hacked????
Hi Arnaud.
The first things I'd check are:
* Are the passwd, group, and shadow entries in your "/etc/nsswitch.conf"
configured correctly?
* If you have NIS installed on your machine, issue "/etc/init.d/nis
stop" and "/etc/init.d/portmap stop" commands. Then see if you can still
log in as the 'test' user. If you don't need it, consider uninstalling
NIS.
* Can you change the password for user 'test' while logged in as root?
* What do your "/etc/pam.d/ssh" and "/etc/pam.d/ftpd" files look like?
Hope this helps :-)
-----
Jeremy
On Tue, 2004-05-18 at 16:21, A. Loonstra wrote:
> Hi,
>
> Last night I found the following in my wtmp:
>
> test ftpd19097 141.222.42.5 Sat May 15 10:57 - 10:57 (00:00)
>
> I had this test account once but removed account rightaway. So this
> shouldn't show up in my logs anyhow. The weird thing is that syslog
> shows something else:
>
> May 15 10:57:41 matilda wu-ftpd[19097]: connect from 141.222.42.5
> May 15 10:57:44 matilda wu-ftpd[19097]: FTP LOGIN REFUSED (ftp not in
> /etc/passwd) FROM 141.222.42.5 [141.222.42.5], anonymous
>
> So now I tried myself to login as this test user with a very obvious
> password. It was possible.... SSH login succeeded and ftp login as well.
> The ssh login seems to get mapped to another local user which does
> have an existing account on the server. However it can't find the home
> dir so it sets it to /
>
> I have nothing in /etc/passwd, /etc/shadow or anywhere else...
> a grep test on passwd* or shadow* reveals nothing. So how is it possible
> that this test user is able to login.
>
> I've run the most recent version of chkrootkit (0.43) and run a linux
> virusscanner (mcafee) as well. Both find nothing.
>
> Any help appreciated.
>
> Arnaud.
>
Reply to: