[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Re: cobalt factory usernames
- Subject: Re: [cobalt-security] Re: cobalt factory usernames
- From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
- Date: Wed, 24 Jan 2001 17:37:26 +0000 (GMT)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Wed, 24 Jan 2001 cronus@xxxxxx wrote:
> > The specific usernames that I question are: "pop" and "operator"
> > Are those installed into the raq3i by the factory?
>
> I admin two Raq3 servers. One of them has accounts under the
> usernames pop, operator and games. The other only has operator
> and games but niether server actually has passwords for these
> accounts. What I mean is that the shadow file contains an
> asterix ('*') which would never be the result of a crypt function
> so the accounts cannot be logged into in the normal fashion. If
> you were running a daemon as one of these accounts then the daemon
> itself may have caused the hole.
It's also worth checking these service accounts still have their shell
entries either blank or set to /bin/false. Quite often people change the
shell to /bin/sh and use them to login.
My RaQ (owned.lab6.com) was cracked at the weekend. Initially it looks
like procmail was exploited. It's running the latest version of procmail,
which is worrying.