Re: Could operator user log on to linux machine remotely ????
From: Luke Vogel (luke@bell-bird.com.au)Date: 12/30/01
- Next message: Luke Vogel: "Re: Hacker in my computer"
- Previous message: Viraj Alankar: "Re: RH 7.2 requires portmapper for NFS client?"
- In reply to: newbie: "Re: Could operator user log on to linux machine remotely ????"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Luke Vogel <luke@bell-bird.com.au> Date: Sun, 30 Dec 2001 11:56:12 +1000
newbie wrote:
>
> Uzytkownik "Luke Vogel" <luke@bell-bird.com.au> >
>
> > or activated system accounts like "operator" or "bin" etc ....
>
> yes , i found this :
>
> operator:x:0:0::/home/operator:/bin/bash
-------------^-^
Ok, ... you now know that you are not the only one with root priveleges
on _your_ box.
You might like to see if your /etc/shadow file has an actual live
password set up in it (I would lay money on it that it has!). A quick
look in /home/operator might prove a bit interesting too.
> as far as i remeber from BSD it should be something like /sbin/nologin ?
> But not /bin/bash !
>
> Any idea ?
I have all my system accounts setup with /bin/false
eg:
bin:x:1:1:bin:/bin:/bin/false
but, that wont help you at all ... your cracker(s) are finding their way
into your box through some back door (possibly activated by inetd or
xinetd - look in your /etc/[x|i]netd.conf file for other clues.
Quite frankly, you cannot trust ANY binary file on your box now.
It is essential that you unplug your box from the net ... NOW! It is a
hazzard to the rest of the internet community.
It is strongly recommended that you:
1. Save any important data files.
2. wipe your box clean.
3. re-install a very recent version of your OS.
4. patch all relevant servers/services.
5. harden.
6. review security proceedures.
7. Re-connect to the net after everything is secure.
-- Regards Luke ------ Q: What does FAQ stand for? A: We are Frequently Asked this Question, and we have no idea. ------ C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html ------ PLEASE NOTE: Spamgard (tm) installed. mailto:lukeNOSPAM@bell-bird.com.au (remove NOSPAM ... obviously:) ------
- Next message: Luke Vogel: "Re: Hacker in my computer"
- Previous message: Viraj Alankar: "Re: RH 7.2 requires portmapper for NFS client?"
- In reply to: newbie: "Re: Could operator user log on to linux machine remotely ????"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
