Box Cracked ( Was: thank's )
John Summerfield
debian at herakles.homelinux.org
Sun Oct 21 21:21:57 UTC 2007
Manuel Arostegui Ramirez wrote:
> El Domingo, 21 de Octubre de 2007 09:43, Manuel Arostegui Ramirez escribió:
>> Sometimes it's useful to look in /etc/passwords for new users created with
>> uid 0.
>> It's a good idea to create users such like smtp, smtprelay, systemuser or
>> that sort of names which, in the beggining doesn't seem to be suspicius and
>> give them the uid 0...
I dispute that. If one's using passwd authentication, anyone who has
access to the box can see what they are.
>> So it's a good idea to look for other users with the 0 uid despide of root.
More probable is a setuid root shell, hidden some place. I once found an
IRC bot in /var/spool/cron/.mesh
>>
>> Manuel
>>
>
> I meant /etc/passwd :-)
An intruder doesn't need to be root to use the system, sometimes it's
better not to be. When someone gained root on a system I know about,
there cracker kit damaged the system so it wouldn't run. OTOH, without
root, they were still able to install software in a user's home directory.
I found that one because of firewall reports. But for that, they could
have been there for weeks or months, instead of just hours.
>
--
Cheers
John
-- spambait
1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu
Please do not reply off-list
More information about the fedora-list
mailing list