LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   troot ID (RHEL v5.4) (https://www.linuxquestions.org/questions/linux-newbie-8/troot-id-rhel-v5-4-a-4175466537/)

rootbeer 06-18-2013 04:48 PM
troot ID (RHEL v5.4)
 
I have a handful of remote servers where I discovered an ID named troot that has root privileges. Remote logon is disabled.

I'm trying to determine if this is an ID that has to be manually created or are there any known applications or processes within Linux that may create this ID?

unSpawn 06-19-2013 01:35 AM
Quote:
Originally Posted by rootbeer (Post 4974429)
I have a handful of remote servers where I discovered an ID named troot that has root privileges. Remote logon is disabled.
IMHO no user except root should need those privileges and in that way.
- Remote login could have been disabled afterwards, no way to tell.


Quote:
Originally Posted by rootbeer (Post 4974429)
I'm trying to determine if this is an ID that has to be manually created or are there any known applications or processes within Linux that may create this ID?
- check the MAC times on /etc/passwd, group and shadow. If it was the last account added then the modification date may help but its weak and easily changed.
- check 'chage' details for the account.
- Account creation gets logged (PAM) so check your /var/log/secure . If the log (and archived ones) don't go far enough back check your /etc/logrotate.d/ settings.
- Find files on the system with group and user Id "troot".
- Account usage gets logged (PAM) so check your wtmp ('last'), /var/log/secure and for example /var/log/cron.


All times are GMT -5. The time now is 01:49 PM.