Re: entry in /etc/passwd
From: Charles Clancy (security@xauth.net)Date: 05/01/02
- Previous message: Jamie: "Re: entry in /etc/passwd"
- In reply to: Yannis Nikolopoulos: "entry in /etc/passwd"
- Next in thread: Jon Leonard: "Re: entry in /etc/passwd"
- Reply: Jon Leonard: "Re: entry in /etc/passwd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 1 May 2002 16:37:13 -0500 (CDT) From: Charles Clancy <security@xauth.net> To: Yannis Nikolopoulos <yanodd@otenet.gr>
> yesterday I noticed that the last line of my /etc/passwd file
> was something like :
> +::0::0
That sets the UID and gecos field of all users on the system to 0. The
attacker probably meant to do "+::0:0:" but the above is just as lethal.
> I didnt put it and it was definitely not there before :)
> I vaguely remember that it has something to do with NIS..
Yes -- it's often used in conjunction with NIS+ netgroups. In the past,
I've use the following config on servers that I only wanted certain people
to log in to:
+@managers:x:::::
+:x:::::/afs/cs/common/login.restricted
That changes the shell for users not in the managers netgroup to one that
spits out an error message and kicks them off.
> any suggestions? Should I be worried???
Yes -- you should be very worried! :) I suggest removing the line, and
tracking down how you were attacked.
[ t charles clancy ]-[ tclancy@uiuc.edu ]-[ uiuc.edu/~tclancy ]
[ crypto ][ coordinated science lab ][ university of illinois ]
- Previous message: Jamie: "Re: entry in /etc/passwd"
- In reply to: Yannis Nikolopoulos: "entry in /etc/passwd"
- Next in thread: Jon Leonard: "Re: entry in /etc/passwd"
- Reply: Jon Leonard: "Re: entry in /etc/passwd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
