LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-08-2001, 12:18 PM   #1
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Rep: Reputation: 15
Exclamation


I wondering if the user 'operator' is automatically installed by Redhat default configuration.

See my /etc/passwd file bellow.
I wondering which system service or program needs to
have these account to here in the passwd file: namely: 'operator', 'wnn', or these possibly inserted by
hackers?

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0perator:/root: <<----
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/var/ftp:
nobody:x:99:99:Nobody:/:
apache:x:48:48:Apache:/var/www:/bin/false
named:x:25:25:Named:/var/named:/bin/false
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
gdm:x:42:42::/home/gdm:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
mailnull:x:47:47::/var/spool/mqueue:/dev/null
wnn:x:49:49:Wnn System Account:/home/wnn:/bin/bash <----
ident:x:98:98ident user:/:/bin/false
amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
pvm:x:24:24::/usr/share/pvm3:/bin/bash
--------
finger operator results:
# finger operator
Login: operator Name: operator
Directory: /root Shell: /bin/sh
Never logged in.
No mail.
No Plan.
--------
rpm -q wnn
package wnn is not installed
[root@machine1 /]# man wnn
No manual entry for wnn

thanks.
 
Old 06-11-2001, 05:27 AM   #2
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Hi,

The operator user is normal, + it has no shell so it used by the OS system for admin tasks.

The wnn user is not normal.
If you have installed a Kana-to-Kanji conversion system then you would have this user name.
If not, someone else with root priv's has put it there.

Check these files to see what's installed
If not then someone has removed the extensions but not the passwd file.

If your box is a fresh install with no other users then I would be worried, if not then someone has installed wnn as suid allowing it to modify the passwd file.

/etc/rc.d/init.d/jserver.init
/etc/rc.d/rc0.d/K12jserver
/etc/rc.d/rc2.d/S12jserver
/etc/rc.d/rc3.d/S12jserver
/etc/rc.d/rc5.d/S12jserver
/etc/rc.d/rc6.d/K12jserver
/usr/doc/Wnn-4.2
/usr/doc/Wnn-4.2/RN_Wnn42
/usr/doc/Wnn-4.2/Xsi
/usr/doc/Wnn-4.2/Xsi/README
/usr/doc/Wnn-4.2/Xsi/README.sun
/usr/doc/Wnn-4.2/Xsi/Wnn
/usr/doc/Wnn-4.2/Xsi/Wnn/FAQ
/usr/doc/Wnn-4.2/Xsi/Wnn/READ.ME
/usr/doc/Wnn-4.2/Xsi/Wnn/READ.ME.j
/usr/doc/Wnn-4.2/Xsi/config
/usr/doc/Wnn-4.2/Xsi/config/Project.tmpl
/usr/doc/Wnn-4.2/Xsi/config/X11.tmpl
/usr/local/bin/Wnn4
/usr/local/bin/Wnn4/atod
/usr/local/bin/Wnn4/atof
/usr/local/bin/Wnn4/dtoa
/usr/local/bin/Wnn4/jserver
/usr/local/bin/Wnn4/oldatonewa
/usr/local/bin/Wnn4/uum
/usr/local/bin/Wnn4/wddel
/usr/local/bin/Wnn4/wdreg
/usr/local/bin/Wnn4/wnnkill
/usr/local/bin/Wnn4/wnnstat
/usr/local/bin/Wnn4/wnntouch
/usr/local/lib/libjd.so.1.0
/usr/local/lib/libjd.so.1.0.0
/usr/local/lib/libwnn.so.1.0
/usr/local/lib/libwnn.so.1.0.0
/usr/local/lib/wnn
/usr/local/lib/wnn/cvt_key_empty
/usr/local/lib/wnn/cvt_key_tbl
/usr/local/lib/wnn/cvt_key_tbl.ST
/usr/local/lib/wnn/cvt_key_tbl.gm
/usr/local/lib/wnn/cvt_key_tbl.kt
/usr/local/lib/wnn/cvt_key_tbl.mv
/usr/local/lib/wnn/cvt_key_tbl.vt
/usr/local/lib/wnn/ja_JP
/usr/local/lib/wnn/ja_JP/dic
/usr/local/lib/wnn/ja_JP/dic/pubdic
/usr/local/lib/wnn/ja_JP/dic/pubdic/bio.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/chimei.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/computer.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/full.fzk
/usr/local/lib/wnn/ja_JP/dic/pubdic/jinmei.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/kihon.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/kougo.fzk
/usr/local/lib/wnn/ja_JP/dic/pubdic/koyuu.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/setsuji.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/special.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/std.fzk
/usr/local/lib/wnn/ja_JP/dic/pubdic/symbol.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/tankan.dic
/usr/local/lib/wnn/ja_JP/dic/src
/usr/local/lib/wnn/ja_JP/dic/src/fzk.attr
/usr/local/lib/wnn/ja_JP/dic/src/fzk.con
/usr/local/lib/wnn/ja_JP/dic/src/fzk.fzkattr
/usr/local/lib/wnn/ja_JP/dic/src/fzk.jirattr
/usr/local/lib/wnn/ja_JP/dic/src/fzk.jircon
/usr/local/lib/wnn/ja_JP/dic/src/fzk.master
/usr/local/lib/wnn/ja_JP/dic/src/fzk.shuutan
/usr/local/lib/wnn/ja_JP/dic/usr
/usr/local/lib/wnn/ja_JP/dic/wnncons
/usr/local/lib/wnn/ja_JP/dic/wnncons/tankan2.dic
/usr/local/lib/wnn/ja_JP/dic/wnncons/tankan3.dic
/usr/local/lib/wnn/ja_JP/hinsi.data
/usr/local/lib/wnn/ja_JP/jserverrc
/usr/local/lib/wnn/ja_JP/libwnn.msg
/usr/local/lib/wnn/ja_JP/rk
/usr/local/lib/wnn/ja_JP/rk.vi
/usr/local/lib/wnn/ja_JP/rk.vi/1B_newTOUPPER
/usr/local/lib/wnn/ja_JP/rk.vi/2A_CTRL
/usr/local/lib/wnn/ja_JP/rk.vi/2B_KEISEN
/usr/local/lib/wnn/ja_JP/rk.vi/2B_ROMKANA
/usr/local/lib/wnn/ja_JP/rk.vi/2C_KEISEN1
/usr/local/lib/wnn/ja_JP/rk.vi/2C_VI
/usr/local/lib/wnn/ja_JP/rk.vi/2C_VIEX
/usr/local/lib/wnn/ja_JP/rk.vi/2C_VISH
/usr/local/lib/wnn/ja_JP/rk.vi/2_VITHROW
/usr/local/lib/wnn/ja_JP/rk.vi/3B_ZENASC
/usr/local/lib/wnn/ja_JP/rk.vi/mode
/usr/local/lib/wnn/ja_JP/rk.vi/uumkey
/usr/local/lib/wnn/ja_JP/rk/1B_TOUPPER
/usr/local/lib/wnn/ja_JP/rk/1B_ZENHIRA
/usr/local/lib/wnn/ja_JP/rk/1B_ZENKATA
/usr/local/lib/wnn/ja_JP/rk/1B_newTOUPPER
/usr/local/lib/wnn/ja_JP/rk/2A_CTRL
/usr/local/lib/wnn/ja_JP/rk/2B_DAKUTEN
/usr/local/lib/wnn/ja_JP/rk/2B_JIS
/usr/local/lib/wnn/ja_JP/rk/2B_ROMKANA
/usr/local/lib/wnn/ja_JP/rk/2_TCODE
/usr/local/lib/wnn/ja_JP/rk/3B_HANKATA
/usr/local/lib/wnn/ja_JP/rk/3B_KATAKANA
/usr/local/lib/wnn/ja_JP/rk/3B_ZENKAKU
/usr/local/lib/wnn/ja_JP/rk/autork
/usr/local/lib/wnn/ja_JP/rk/mode
/usr/local/lib/wnn/ja_JP/rk/mode.hankata
/usr/local/lib/wnn/ja_JP/rk/mode.nohankata
/usr/local/lib/wnn/ja_JP/uum.msg
/usr/local/lib/wnn/ja_JP/uumkey
/usr/local/lib/wnn/ja_JP/uumkey.omr
/usr/local/lib/wnn/ja_JP/uumkey_e
/usr/local/lib/wnn/ja_JP/uumrc
/usr/local/lib/wnn/ja_JP/uumrc.omr
/usr/local/lib/wnn/ja_JP/uumrc.rev
/usr/local/lib/wnn/ja_JP/uumrc_e
/usr/local/lib/wnn/ja_JP/uumrc_vi
/usr/local/lib/wnn/ja_JP/wnnenvrc
/usr/local/lib/wnn/ja_JP/wnnenvrc.omr
/usr/local/lib/wnn/ja_JP/wnnenvrc.rem
/usr/local/lib/wnn/ja_JP/wnnenvrc.rev
/usr/local/lib/wnn/ja_JP/wnnenvrc_R
/usr/local/lib/wnn/ja_JP/wnnenvrc_R.omr
/usr/local/lib/wnn/ja_JP/wnnenvrc_R.rem
/usr/local/lib/wnn/ja_JP/wnnstat.msg
/usr/local/lib/wnn/lt_LN
/usr/local/lib/wnn/lt_LN/rk
/usr/local/lib/wnn/lt_LN/rk/2A_CTRL
/usr/local/lib/wnn/lt_LN/rk/2B_LATIN
/usr/local/lib/wnn/lt_LN/rk/mode
/usr/local/lib/wnn/lt_LN/uum.msg
/usr/local/lib/wnn/lt_LN/uumkey
/usr/local/lib/wnn/lt_LN/uumkey_e
/usr/local/lib/wnn/lt_LN/uumrc
/usr/local/lib/wnn/serverdefs
/usr/local/man/ja_JP.ujis/man1/atod.1
/usr/local/man/ja_JP.ujis/man1/atof.1
/usr/local/man/ja_JP.ujis/man1/dtoa.1
/usr/local/man/ja_JP.ujis/man1/jserver.1
/usr/local/man/ja_JP.ujis/man1/oldatonewa.1
/usr/local/man/ja_JP.ujis/man1/uum.1
/usr/local/man/ja_JP.ujis/man1/wddel.1
/usr/local/man/ja_JP.ujis/man1/wdreg.1
/usr/local/man/ja_JP.ujis/man1/wnnkill.1
/usr/local/man/ja_JP.ujis/man1/wnnstat.1
/usr/local/man/ja_JP.ujis/man1/wnntouch.1
/usr/local/man/ja_JP.ujis/man4/2a_ctrl.4
/usr/local/man/ja_JP.ujis/man4/2b_romkana.4
/usr/local/man/ja_JP.ujis/man4/cvt_key_tbl.4
/usr/local/man/ja_JP.ujis/man4/fzk.data.4
/usr/local/man/ja_JP.ujis/man4/fzk.u.4
/usr/local/man/ja_JP.ujis/man4/hinsi_data.4
/usr/local/man/ja_JP.ujis/man4/jserverrc.4
/usr/local/man/ja_JP.ujis/man4/mode.4
/usr/local/man/ja_JP.ujis/man4/serverdefs.4
/usr/local/man/ja_JP.ujis/man4/ujis_dic.4
/usr/local/man/ja_JP.ujis/man4/uumkey.4
/usr/local/man/ja_JP.ujis/man4/uumrc.4
/usr/local/man/ja_JP.ujis/man4/wnnenvrc.4
/usr/local/man/ja_JP.ujis/man5/pubdic.5
/usr/local/man/ja_JP.ujis/man5/usr_dic.

/Raz
 
Old 06-11-2001, 11:24 AM   #3
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Original Poster
Rep: Reputation: 15
My Redhat 7.0 was hacked before.

Thank you for your reply. I was concerned my passwd file for possible tampering because the machine was running Redhat 7.0 with bind (named) as namelookup caching server. And it was obviously got hacked -
One day, I noticed the nslookup no longer able to resove from default server 127.0.0.1, returns error with something unable to connect default server 127.0.0.1, but it can rely on secondary (outside) DNS to resolve. I did a " ps -aux |more " and found a strange process called '/dev/ttyyy/.kore' youSUCK running. Then I did further digging and found it was a virus installed on the Linux machine which connects to an irc server with uk domain string upon booting. It has very much similarity to the instance described in the following link but not exactly the same.

http://www2.linuxjournal.com/articles/culture/0022.html

http://www.rvglug.org/pipermail/rvgl...ry/000436.html

So I contacted the author of above article by email and provided him a name/password for my system, and asked him if he'd interested to take look, but I have not heard back from him. So I decided to delete the virus and restore/repair my system, I used bootnet.img to ftp and upgraded the system to Redhat 7.1 (not install from scratch because I need to preserve old data).

My Redhat machine has two NIC cards, one external NIC connects to cable modem via a hub, and one internal NIC connecting local LAN, with ipchaines, serving as gateway for internal LAN to the internet. It works very well. I was just try to verify the security or any backdoors which may left open by previous hacker. Any comments or suggestions would be very much appreciated.

One more thing, when I do a 'netstat -a', I got following and I don't quite understand, why I have ports 32768,32769, 32770 and 32771 open but I don't see them ever connects to anywhere?

[root@ /root]# netstat -a |more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 luna:domain *:* LISTEN
tcp 0 0 solar:domain *:* LISTEN
tcp 0 0 localhost:domain *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:smtp *:* LISTEN
tcp 0 0 *:https *:* LISTEN
tcp 0 36 solar:ssh air1.mydomain.com:1022 ESTABLISHED
udp 0 0 *:32768 *:*
udp 0 0 *:who *:*
udp 0 0 *:32769 *:*
udp 0 0 *:32770 *:*
udp 0 0 *:32771 *:*
.....
.....

The following is what I have running on the system:
apache http server;
bind name server (caching only, for internal LAN stations);
ipchains for ip masquerading.
ssh as a secured substitute for telnet
(yet to enable sendmail).

thank you very much.


 
Old 06-11-2001, 11:53 AM   #4
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
That UDP stuff is not normal unless your streaming some kind of data in from outside.

I suggest you turn these off and block the rest from outside world.

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:sunrpc *:* LISTEN "REMOVE"
tcp 0 0 *:x11 *:* LISTEN "REMOVE"
tcp 0 0 *:http *:* LISTEN "PATCH"
tcp 0 0 *:auth *:* LISTEN "REMOVE"
tcp 0 0 luna:domain *:* LISTEN "BLOCK"
tcp 0 0 solar:domain *:* LISTEN "BLOCK"
tcp 0 0 localhost:domain *:* LISTEN "BLOCK"
tcp 0 0 *:ssh *:* LISTEN "BLOCK"
tcp 0 0 localhost:smtp *:* LISTEN "Not sure if you pull mail in"
tcp 0 0 *:https *:* LISTEN "PATCH"
tcp 0 36 solar:ssh air1.mydomain.com:1022 ESTABLISHED
udp 0 0 *:32768 *:* "BLOCK ALL UDP(not udp 53)
udp 0 0 *:who *:* "same as above"
udp 0 0 *:32769 *:* "same as above"
udp 0 0 *:32770 *:* "same as above"
udp 0 0 *:32771 *:* "same as above"

Send me an email to roldbury@newmail.net and I'll help you design a good firewall using Ipchains + a good IDS.

/Raz
 
Old 06-11-2001, 01:15 PM   #5
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Original Poster
Rep: Reputation: 15
thanks!

Thanks again for your advise and your email address, I will send you an email in next 30min. It would be nice to have some IDS, I have been my desire for long time, but I was not sure where to start. I bought a NFR eval copy of Cisco package, but it was old already and it runs only on Sun. Your help/input is very much appreciated.
 
Old 06-12-2001, 04:40 AM   #6
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
ok np I'll check that email account in a min. "it's a snail mail service"

The IDS is a home made one that I wrote, with some help from perl CPAN.

It works v-well.

/Raz
 
Old 06-12-2001, 08:56 AM   #7
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Original Poster
Rep: Reputation: 15
Intrusion detection system

Where I can fetch a copy of your home made IDS?
thanks.
 
Old 06-12-2001, 09:17 AM   #8
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Hi Joe,

It's not publicly available.
I've emailed you details.

It takes about 45 minutes to set-up and tune.

I don't make it publicly available, so people can't work out how to disable it before I'm notified about them.
"This is only if someone gets in"

Otherwise it tells you all the normal stuff like when your system goes into Promiscuous mode or a new module is loaded and any scans done on your system, + login in attempts and SSH connections etc etc etc.

/Raz
 
Old 06-12-2001, 09:54 AM   #9
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Original Poster
Rep: Reputation: 15
That's an interesting and unique way to share/distribute your IDS. I haven't see it coming to my email yet. Perhaps it is indeed a snail mail as you put it. I'll wait and let you know once I get it. thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba -- XP user can log in to shares but smbclient user always gets password errors ejoe Linux - Software 3 04-18-2005 11:55 AM
rpm for some reason is excuted by file roller? furtivefelon Linux - Newbie 11 02-09-2005 10:23 PM
What is this 'operator' user? ldp Slackware 5 12-30-2004 01:39 PM
Lost Password file when user deleted clickit999 Linux - Security 2 09-19-2004 12:12 PM
For some reason I can't compile a .cpp file with kdevelop, the button is greyed out. Manyguns Programming 1 07-16-2001 11:27 AM


All times are GMT -5. The time now is 01:09 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration