Manuel Arostegui Ramirez wrote:
El Domingo, 21 de Octubre de 2007 09:43, Manuel Arostegui Ramirez escribió:
Sometimes it's useful to look in /etc/passwords for new users created with
uid 0.
It's a good idea to create users such like smtp, smtprelay, systemuser or
that sort of names which, in the beggining doesn't seem to be suspicius and
give them the uid 0...
I dispute that. If one's using passwd authentication, anyone who has
access to the box can see what they are.
So it's a good idea to look for other users with the 0 uid despide of root.
More probable is a setuid root shell, hidden some place. I once found an
IRC bot in /var/spool/cron/.mesh
Manuel
I meant /etc/passwd :-)
An intruder doesn't need to be root to use the system, sometimes it's
better not to be. When someone gained root on a system I know about,
there cracker kit damaged the system so it wouldn't run. OTOH, without
root, they were still able to install software in a user's home directory.
I found that one because of firewall reports. But for that, they could
have been there for weeks or months, instead of just hours.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx
Please do not reply off-list
