Any reason user 'operator' is in the password file?

LionKing · 06-08-2001, 11:18 AM

I wondering if the user 'operator' is automatically installed by Redhat default configuration.

See my /etc/passwd file bellow.
I wondering which system service or program needs to
have these account to here in the passwd file: namely: 'operator', 'wnn', or these possibly inserted by
hackers?

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0

perator:/root: <<----
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/var/ftp:
nobody:x:99:99:Nobody:/:
apache:x:48:48:Apache:/var/www:/bin/false
named:x:25:25:Named:/var/named:/bin/false
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
gdm:x:42:42::/home/gdm:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
mailnull:x:47:47::/var/spool/mqueue:/dev/null
wnn:x:49:49:Wnn System Account:/home/wnn:/bin/bash <----
ident:x:98:98

ident user:/:/bin/false
amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
pvm:x:24:24::/usr/share/pvm3:/bin/bash
--------
finger operator results:
# finger operator
Login: operator Name: operator
Directory: /root Shell: /bin/sh
Never logged in.
No mail.
No Plan.
--------
rpm -q wnn
package wnn is not installed
[root@machine1 /]# man wnn
No manual entry for wnn

thanks.

raz · 06-11-2001, 04:27 AM

Hi,

The operator user is normal, + it has no shell so it used by the OS system for admin tasks.

The wnn user is not normal.
If you have installed a Kana-to-Kanji conversion system then you would have this user name.
If not, someone else with root priv's has put it there.

Check these files to see what's installed
If not then someone has removed the extensions but not the passwd file.

If your box is a fresh install with no other users then I would be worried, if not then someone has installed wnn as suid allowing it to modify the passwd file.

/etc/rc.d/init.d/jserver.init
/etc/rc.d/rc0.d/K12jserver
/etc/rc.d/rc2.d/S12jserver
/etc/rc.d/rc3.d/S12jserver
/etc/rc.d/rc5.d/S12jserver
/etc/rc.d/rc6.d/K12jserver
/usr/doc/Wnn-4.2
/usr/doc/Wnn-4.2/RN_Wnn42
/usr/doc/Wnn-4.2/Xsi
/usr/doc/Wnn-4.2/Xsi/README
/usr/doc/Wnn-4.2/Xsi/README.sun
/usr/doc/Wnn-4.2/Xsi/Wnn
/usr/doc/Wnn-4.2/Xsi/Wnn/FAQ
/usr/doc/Wnn-4.2/Xsi/Wnn/READ.ME
/usr/doc/Wnn-4.2/Xsi/Wnn/READ.ME.j
/usr/doc/Wnn-4.2/Xsi/config
/usr/doc/Wnn-4.2/Xsi/config/Project.tmpl
/usr/doc/Wnn-4.2/Xsi/config/X11.tmpl
/usr/local/bin/Wnn4
/usr/local/bin/Wnn4/atod
/usr/local/bin/Wnn4/atof
/usr/local/bin/Wnn4/dtoa
/usr/local/bin/Wnn4/jserver
/usr/local/bin/Wnn4/oldatonewa
/usr/local/bin/Wnn4/uum
/usr/local/bin/Wnn4/wddel
/usr/local/bin/Wnn4/wdreg
/usr/local/bin/Wnn4/wnnkill
/usr/local/bin/Wnn4/wnnstat
/usr/local/bin/Wnn4/wnntouch
/usr/local/lib/libjd.so.1.0
/usr/local/lib/libjd.so.1.0.0
/usr/local/lib/libwnn.so.1.0
/usr/local/lib/libwnn.so.1.0.0
/usr/local/lib/wnn
/usr/local/lib/wnn/cvt_key_empty
/usr/local/lib/wnn/cvt_key_tbl
/usr/local/lib/wnn/cvt_key_tbl.ST
/usr/local/lib/wnn/cvt_key_tbl.gm
/usr/local/lib/wnn/cvt_key_tbl.kt
/usr/local/lib/wnn/cvt_key_tbl.mv
/usr/local/lib/wnn/cvt_key_tbl.vt
/usr/local/lib/wnn/ja_JP
/usr/local/lib/wnn/ja_JP/dic
/usr/local/lib/wnn/ja_JP/dic/pubdic
/usr/local/lib/wnn/ja_JP/dic/pubdic/bio.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/chimei.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/computer.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/full.fzk
/usr/local/lib/wnn/ja_JP/dic/pubdic/jinmei.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/kihon.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/kougo.fzk
/usr/local/lib/wnn/ja_JP/dic/pubdic/koyuu.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/setsuji.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/special.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/std.fzk
/usr/local/lib/wnn/ja_JP/dic/pubdic/symbol.dic
/usr/local/lib/wnn/ja_JP/dic/pubdic/tankan.dic
/usr/local/lib/wnn/ja_JP/dic/src
/usr/local/lib/wnn/ja_JP/dic/src/fzk.attr
/usr/local/lib/wnn/ja_JP/dic/src/fzk.con
/usr/local/lib/wnn/ja_JP/dic/src/fzk.fzkattr
/usr/local/lib/wnn/ja_JP/dic/src/fzk.jirattr
/usr/local/lib/wnn/ja_JP/dic/src/fzk.jircon
/usr/local/lib/wnn/ja_JP/dic/src/fzk.master
/usr/local/lib/wnn/ja_JP/dic/src/fzk.shuutan
/usr/local/lib/wnn/ja_JP/dic/usr
/usr/local/lib/wnn/ja_JP/dic/wnncons
/usr/local/lib/wnn/ja_JP/dic/wnncons/tankan2.dic
/usr/local/lib/wnn/ja_JP/dic/wnncons/tankan3.dic
/usr/local/lib/wnn/ja_JP/hinsi.data
/usr/local/lib/wnn/ja_JP/jserverrc
/usr/local/lib/wnn/ja_JP/libwnn.msg
/usr/local/lib/wnn/ja_JP/rk
/usr/local/lib/wnn/ja_JP/rk.vi
/usr/local/lib/wnn/ja_JP/rk.vi/1B_newTOUPPER
/usr/local/lib/wnn/ja_JP/rk.vi/2A_CTRL
/usr/local/lib/wnn/ja_JP/rk.vi/2B_KEISEN
/usr/local/lib/wnn/ja_JP/rk.vi/2B_ROMKANA
/usr/local/lib/wnn/ja_JP/rk.vi/2C_KEISEN1
/usr/local/lib/wnn/ja_JP/rk.vi/2C_VI
/usr/local/lib/wnn/ja_JP/rk.vi/2C_VIEX
/usr/local/lib/wnn/ja_JP/rk.vi/2C_VISH
/usr/local/lib/wnn/ja_JP/rk.vi/2_VITHROW
/usr/local/lib/wnn/ja_JP/rk.vi/3B_ZENASC
/usr/local/lib/wnn/ja_JP/rk.vi/mode
/usr/local/lib/wnn/ja_JP/rk.vi/uumkey
/usr/local/lib/wnn/ja_JP/rk/1B_TOUPPER
/usr/local/lib/wnn/ja_JP/rk/1B_ZENHIRA
/usr/local/lib/wnn/ja_JP/rk/1B_ZENKATA
/usr/local/lib/wnn/ja_JP/rk/1B_newTOUPPER
/usr/local/lib/wnn/ja_JP/rk/2A_CTRL
/usr/local/lib/wnn/ja_JP/rk/2B_DAKUTEN
/usr/local/lib/wnn/ja_JP/rk/2B_JIS
/usr/local/lib/wnn/ja_JP/rk/2B_ROMKANA
/usr/local/lib/wnn/ja_JP/rk/2_TCODE
/usr/local/lib/wnn/ja_JP/rk/3B_HANKATA
/usr/local/lib/wnn/ja_JP/rk/3B_KATAKANA
/usr/local/lib/wnn/ja_JP/rk/3B_ZENKAKU
/usr/local/lib/wnn/ja_JP/rk/autork
/usr/local/lib/wnn/ja_JP/rk/mode
/usr/local/lib/wnn/ja_JP/rk/mode.hankata
/usr/local/lib/wnn/ja_JP/rk/mode.nohankata
/usr/local/lib/wnn/ja_JP/uum.msg
/usr/local/lib/wnn/ja_JP/uumkey
/usr/local/lib/wnn/ja_JP/uumkey.omr
/usr/local/lib/wnn/ja_JP/uumkey_e
/usr/local/lib/wnn/ja_JP/uumrc
/usr/local/lib/wnn/ja_JP/uumrc.omr
/usr/local/lib/wnn/ja_JP/uumrc.rev
/usr/local/lib/wnn/ja_JP/uumrc_e
/usr/local/lib/wnn/ja_JP/uumrc_vi
/usr/local/lib/wnn/ja_JP/wnnenvrc
/usr/local/lib/wnn/ja_JP/wnnenvrc.omr
/usr/local/lib/wnn/ja_JP/wnnenvrc.rem
/usr/local/lib/wnn/ja_JP/wnnenvrc.rev
/usr/local/lib/wnn/ja_JP/wnnenvrc_R
/usr/local/lib/wnn/ja_JP/wnnenvrc_R.omr
/usr/local/lib/wnn/ja_JP/wnnenvrc_R.rem
/usr/local/lib/wnn/ja_JP/wnnstat.msg
/usr/local/lib/wnn/lt_LN
/usr/local/lib/wnn/lt_LN/rk
/usr/local/lib/wnn/lt_LN/rk/2A_CTRL
/usr/local/lib/wnn/lt_LN/rk/2B_LATIN
/usr/local/lib/wnn/lt_LN/rk/mode
/usr/local/lib/wnn/lt_LN/uum.msg
/usr/local/lib/wnn/lt_LN/uumkey
/usr/local/lib/wnn/lt_LN/uumkey_e
/usr/local/lib/wnn/lt_LN/uumrc
/usr/local/lib/wnn/serverdefs
/usr/local/man/ja_JP.ujis/man1/atod.1
/usr/local/man/ja_JP.ujis/man1/atof.1
/usr/local/man/ja_JP.ujis/man1/dtoa.1
/usr/local/man/ja_JP.ujis/man1/jserver.1
/usr/local/man/ja_JP.ujis/man1/oldatonewa.1
/usr/local/man/ja_JP.ujis/man1/uum.1
/usr/local/man/ja_JP.ujis/man1/wddel.1
/usr/local/man/ja_JP.ujis/man1/wdreg.1
/usr/local/man/ja_JP.ujis/man1/wnnkill.1
/usr/local/man/ja_JP.ujis/man1/wnnstat.1
/usr/local/man/ja_JP.ujis/man1/wnntouch.1
/usr/local/man/ja_JP.ujis/man4/2a_ctrl.4
/usr/local/man/ja_JP.ujis/man4/2b_romkana.4
/usr/local/man/ja_JP.ujis/man4/cvt_key_tbl.4
/usr/local/man/ja_JP.ujis/man4/fzk.data.4
/usr/local/man/ja_JP.ujis/man4/fzk.u.4
/usr/local/man/ja_JP.ujis/man4/hinsi_data.4
/usr/local/man/ja_JP.ujis/man4/jserverrc.4
/usr/local/man/ja_JP.ujis/man4/mode.4
/usr/local/man/ja_JP.ujis/man4/serverdefs.4
/usr/local/man/ja_JP.ujis/man4/ujis_dic.4
/usr/local/man/ja_JP.ujis/man4/uumkey.4
/usr/local/man/ja_JP.ujis/man4/uumrc.4
/usr/local/man/ja_JP.ujis/man4/wnnenvrc.4
/usr/local/man/ja_JP.ujis/man5/pubdic.5
/usr/local/man/ja_JP.ujis/man5/usr_dic.

/Raz

LionKing · 06-11-2001, 10:24 AM

Thank you for your reply. I was concerned my passwd file for possible tampering because the machine was running Redhat 7.0 with bind (named) as namelookup caching server. And it was obviously got hacked -
One day, I noticed the nslookup no longer able to resove from default server 127.0.0.1, returns error with something unable to connect default server 127.0.0.1, but it can rely on secondary (outside) DNS to resolve. I did a " ps -aux |more " and found a strange process called '/dev/ttyyy/.kore' youSUCK running. Then I did further digging and found it was a virus installed on the Linux machine which connects to an irc server with uk domain string upon booting. It has very much similarity to the instance described in the following link but not exactly the same.

http://www2.linuxjournal.com/articles/culture/0022.html

http://www.rvglug.org/pipermail/rvgl...ry/000436.html

So I contacted the author of above article by email and provided him a name/password for my system, and asked him if he'd interested to take look, but I have not heard back from him. So I decided to delete the virus and restore/repair my system, I used bootnet.img to ftp and upgraded the system to Redhat 7.1 (not install from scratch because I need to preserve old data).

My Redhat machine has two NIC cards, one external NIC connects to cable modem via a hub, and one internal NIC connecting local LAN, with ipchaines, serving as gateway for internal LAN to the internet. It works very well. I was just try to verify the security or any backdoors which may left open by previous hacker. Any comments or suggestions would be very much appreciated.

One more thing, when I do a 'netstat -a', I got following and I don't quite understand, why I have ports 32768,32769, 32770 and 32771 open but I don't see them ever connects to anywhere?

[root@ /root]# netstat -a |more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 luna:domain *:* LISTEN
tcp 0 0 solar:domain *:* LISTEN
tcp 0 0 localhost:domain *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:smtp *:* LISTEN
tcp 0 0 *:https *:* LISTEN
tcp 0 36 solar:ssh air1.mydomain.com:1022 ESTABLISHED
udp 0 0 *:32768 *:*
udp 0 0 *:who *:*
udp 0 0 *:32769 *:*
udp 0 0 *:32770 *:*
udp 0 0 *:32771 *:*
.....
.....

The following is what I have running on the system:
apache http server;
bind name server (caching only, for internal LAN stations);
ipchains for ip masquerading.
ssh as a secured substitute for telnet
(yet to enable sendmail).

thank you very much.

raz · 06-11-2001, 10:53 AM

That UDP stuff is not normal unless your streaming some kind of data in from outside.

I suggest you turn these off and block the rest from outside world.

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:sunrpc *:* LISTEN "REMOVE"
tcp 0 0 *:x11 *:* LISTEN "REMOVE"
tcp 0 0 *:http *:* LISTEN "PATCH"
tcp 0 0 *:auth *:* LISTEN "REMOVE"
tcp 0 0 luna:domain *:* LISTEN "BLOCK"
tcp 0 0 solar:domain *:* LISTEN "BLOCK"
tcp 0 0 localhost:domain *:* LISTEN "BLOCK"
tcp 0 0 *:ssh *:* LISTEN "BLOCK"
tcp 0 0 localhost:smtp *:* LISTEN "Not sure if you pull mail in"
tcp 0 0 *:https *:* LISTEN "PATCH"
tcp 0 36 solar:ssh air1.mydomain.com:1022 ESTABLISHED
udp 0 0 *:32768 *:* "BLOCK ALL UDP(not udp 53)
udp 0 0 *:who *:* "same as above"
udp 0 0 *:32769 *:* "same as above"
udp 0 0 *:32770 *:* "same as above"
udp 0 0 *:32771 *:* "same as above"

Send me an email to roldbury@newmail.net and I'll help you design a good firewall using Ipchains + a good IDS.

/Raz

LionKing · 06-11-2001, 12:15 PM

Thanks again for your advise and your email address, I will send you an email in next 30min. It would be nice to have some IDS, I have been my desire for long time, but I was not sure where to start. I bought a NFR eval copy of Cisco package, but it was old already and it runs only on Sun. Your help/input is very much appreciated.

raz · 06-12-2001, 03:40 AM

ok np I'll check that email account in a min. "it's a snail mail service"

The IDS is a home made one that I wrote, with some help from perl CPAN.

It works v-well.

/Raz

LionKing · 06-12-2001, 07:56 AM

Where I can fetch a copy of your home made IDS?
thanks.

raz · 06-12-2001, 08:17 AM

Hi Joe,

It's not publicly available.
I've emailed you details.

It takes about 45 minutes to set-up and tune.

I don't make it publicly available, so people can't work out how to disable it before I'm notified about them.
"This is only if someone gets in"

Otherwise it tells you all the normal stuff like when your system goes into Promiscuous mode or a new module is loaded and any scans done on your system, + login in attempts and SSH connections etc etc etc.

/Raz

LionKing · 06-12-2001, 08:54 AM

That's an interesting and unique way to share/distribute your IDS. I haven't see it coming to my email yet. Perhaps it is indeed a snail mail as you put it. I'll wait and let you know once I get it. thanks.