Re: ".forward" in mail logs

From: S.J.Clifford@work.it.out.invalid
Date: 11/26/02 

From: S.J.Clifford@work.it.out.invalid
Date: 26 Nov 2002 22:24:55 GMT

richard <rmcclary@apcc.aspca.org> wrote:
>> Dnia 21 Nov 2002 09:38:13 -0800, richard napisa(a):
>> > logon:x:0:0::/home/logon:/bin/bash
>> > operator:x:0:0:operator:/root:
>
> Thanks! In an RH 7.x system, any chance this (and "logon") were
> created as a part of the pop3 daemon set-up (from the imap package)?

No (if you mean the RedHat imap RPM). You can check this with:

$ rpm -q -l imap # to see what files the rpm contains
$ rpm -q --scripts imap # to see what scripts it will run

I have the imap package installed and my operator user is UID 11,
and I have no logon user.

> Coincidentally, after I finished changing these things, the pop
> service (but not sendmail) died. A reboot got all up and running
> again.

Are your changes still in place after the reboot? Some rootkits
self-re-install after a reboot.

> I'm not sure how to edit a line in shadow directly. However, again,
> the entry for "logon" got blown away. I am presuming the passwords
> coded for "operator" (now userid 11, with a shell of /sbin/login) got
> changed by the passwd command.

Use vipw, alter the passwd file, it will then ask if you want to edit
the shadow file. Make sure logon and operator are correct here
(although changing them in /etc/passwd should be sufficient).

> Anyway, now to see what else I can find today in the logs, as well as
> seeing what surprises await me tomorrow and following...

Yes... You might also try running strings on any binaries you are
suspicious of (like the pop daemon)... If you're really paranoid copy
the suspicous file to a known clean machine and run a known clean copy
of strings on it.

S.