Re: some kind of attack. i need some help here!

From: Matt (
Date: 01/11/02

From: Matt <>
Date: Fri, 11 Jan 2002 12:08:00 -0600

ok, here's that info for both accounts...
user=sbin, uid=1003
user=scrap, uid=1001
both use bash as the shell

as for the 'last' command, it says the wtmp log started on the same date and
time as the last time 'sbin' logged in.......this is getting real fun

what can you tell from the uid anyway?

Kasper Dupont wrote:

> Matt wrote:
> >
> > --to any debian guru's out there....a user account is on my system that
> > i don't think is meant to be there. the username is 'scrap' and so is
> > the password!!!!!!! i'v disabled this account, but is it one of those
> > accounts used by the system, or can i get rid of it?
> I don't know debian systems, but I have never seen that username
> on any other systems. Sounds spurious to me. What is the UID and
> default shell of that account?
> > how can i find out when the account was last accessed?
> You could use the last command, unless that command or the logs
> has been compromised. If your box has been compromised you
> really cannot know that for sure.
> --
> Kasper Dupont
> For sending spam use