[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Re: cobalt factory usernames

Subject: Re: [cobalt-security] Re: cobalt factory usernames
From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
Date: Wed, 24 Jan 2001 17:37:26 +0000 (GMT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Wed, 24 Jan 2001 cronus@xxxxxx wrote:

> > The specific usernames that I question are: "pop" and "operator"
> > Are those installed into the raq3i by the factory?
>
> I admin two Raq3 servers. One of them has accounts under the
> usernames pop, operator and games. The other only has operator
> and games but niether server actually has passwords for these
> accounts. What I mean is that the shadow file contains an
> asterix ('*') which would never be the result of a crypt function
> so the accounts cannot be logged into in the normal fashion. If
> you were running a daemon as one of these accounts then the daemon
> itself may have caused the hole.

It's also worth checking these service accounts still have their shell
entries either blank or set to /bin/false.  Quite often people change the
shell to /bin/sh and use them to login.

My RaQ (owned.lab6.com) was cracked at the weekend.  Initially it looks
like procmail was exploited.  It's running the latest version of procmail,
which is worrying.

Follow-Ups:
- Re: [cobalt-security] Re: cobalt factory usernames
  - From: Kevin D

References:
- [cobalt-security] Re: cobalt factory usernames
  - From: cronus

Prev by Date: RE: [cobalt-security] possible compromise
Next by Date: Re: [cobalt-security] possible compromise
Previous by thread: [cobalt-security] Re: cobalt factory usernames
Next by thread: Re: [cobalt-security] Re: cobalt factory usernames

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index