LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   A hacked account or normal (https://www.linuxquestions.org/questions/linux-security-4/a-hacked-account-or-normal-251654/)

000000 11-05-2004 08:43 PM
A hacked account or normal
 
Hi all
I am using suse 9.1 and I sometimes turn off the firewall and I have discovered many accounts that dont show in kdm even if I make them unhidden the accounts are:
@audio
@dialout
@users
@uccp
@video

I have searched for the meaning for uucp = unix-to-unix Copy system
I use so many p2p progs to download linux iso

are they normal accounts?

and thanks

Capt_Caveman 11-05-2004 09:06 PM
With the exception of uucp, those aren't normal users. However they are normal group IDs. Are you sure you're looking at the proper table? Take a look at /etc/passwd just to be sure (those group names will be in /etc/group).

000000 11-06-2004 06:41 PM
hi and thanks for your respond
this my /etc/group

root:x:0:
bin:x:1:daemon
daemon:x:2:
sys:x:3:
tty:x:5:
disk:x:6:
lp:x:7:
www:x:8:
kmem:x:9:
wheel:x:10:
mail:x:12:
news:x:13:
uucp:x:14:eminaga,light,clamav
shadow:x:15:
dialout:x:16:eminaga,light,clamav
audio:x:17:eminaga,light,clamav
floppy:x:19:
cdrom:x:20:
console:x:21:
utmp:x:22:
at:x:25:
public:x:32:
video:x:33:eminaga,light,clamav
games:x:40:
xok:x:41:
trusted:x:42:
modem:x:43:
ftp:x:49:
postfix:x:51:
localham:x:56:
maildrop:x:59:
man:x:62:
sshd:x:65:
ntadmin:x:71:
distcc:x:101:
nobody:x:65533:nobody
nogroup:x:65534:nobody
users:x:100:light
zope:!:102:
clamav:!:52:

IS IT ALL NORMAL?

Capt_Caveman 11-06-2004 10:34 PM
In SuSE, it is normal to have users belong to the video, audio, dialout, and uucp groups. Are eminaga & light users on the system? The user and group clamav are added by the clamav antivirus software, so I'm assuming that you have it installed? The user eminaga looks a little odd (doesn't appear as a member of "users" and I can't think of any software that installs a system user with that name).

Also take a look at /etc/passwd and make sure that you don't have any users other than root (particularly eminaga) with a UID or GID of 0 or any other abnormal users.

000000 11-07-2004 11:32 AM
dont worry eminaga ist a normal account - it is even my last name - and also light and yes i have installed clamav 2 days ago - who asked-
I didnt find any user with 0 id gid
and this my passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
mysql:x:60:2:MySQL database admin:/var/lib/mysql:/bin/false
zope:x:64:102:Zope:/opt/zope:/bin/false
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
ntp:x:74:65534:NTP daemon:/var/lib/ntp:/bin/false
vdr:x:100:33:Video Disk Recorder:/var/spool/video:/bin/false
distcc:x:101:101:Distcc Daemon:/etc/distcc:/bin/false
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
light:x:1000:100:Light:/home/light:/bin/bash
eminaga:x:1001:100:eminaga:/home/eminaga:/bin/bash
clamav:x:52:52:ClamAV Daemon:/:/bin/false

ganz normal

Capt_Caveman 11-07-2004 02:19 PM
Looks like you're in good shape then. :D

000000 11-07-2004 06:09 PM
veilen dank


All times are GMT -5. The time now is 06:51 AM.