Re: entry in /etc/passwd

From: Charles Clancy (security@xauth.net)
Date: 05/01/02


Date: Wed, 1 May 2002 16:37:13 -0500 (CDT)
From: Charles Clancy <security@xauth.net>
To: Yannis Nikolopoulos <yanodd@otenet.gr>


> yesterday I noticed that the last line of my /etc/passwd file
> was something like :
> +::0::0

That sets the UID and gecos field of all users on the system to 0. The
attacker probably meant to do "+::0:0:" but the above is just as lethal.

> I didnt put it and it was definitely not there before :)
> I vaguely remember that it has something to do with NIS..

Yes -- it's often used in conjunction with NIS+ netgroups. In the past,
I've use the following config on servers that I only wanted certain people
to log in to:

        +@managers:x:::::
        +:x:::::/afs/cs/common/login.restricted

That changes the shell for users not in the managers netgroup to one that
spits out an error message and kicks them off.

> any suggestions? Should I be worried???

Yes -- you should be very worried! :) I suggest removing the line, and
tracking down how you were attacked.

[ t charles clancy ]-[ tclancy@uiuc.edu ]-[ uiuc.edu/~tclancy ]
[ crypto ][ coordinated science lab ][ university of illinois ]



Relevant Pages

  • Re: NIS used authenticated OK but nothing works
    ... I have setup NIS, NFS, ... > uid is not being translated to a uname. ... verified) see if you can make another client machine work correctly. ...
    (comp.os.linux.networking)
  • Re: linux-f10-flashplugin
    ... to unknown user id ... the uid number. ... because my NIS was incorrectly configured. ... Unexpected attachment on this mail? ...
    (freebsd-stable)
  • Setting sshd uid?
    ... The sshd user seems to have been installed with a different uid ... future installations to avoid this as I may need the other uid's for other ... I think there's an NIS ...
    (SunManagers)
  • Changing a users UID
    ... Solaris 9 NIS+ need to change the UID for a bunch of users. ... From past experience I've had to change the UID on the NIS+ server then ...
    (SunManagers)