LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   /home/backdoor (http://www.linuxquestions.org/questions/linux-security-4/home-backdoor-59729/)

glyn_walters 05-14-2003 05:33 AM

/home/backdoor
 
Hi.

I am a linux newbie so sorry if these are standard *nix questions.

I have a public facing linux server and I notice there is a /home/backdoor directory alongside /home directories for other users that have logged in. It sounds dodgy to me. Is there any way I can find out whether there are login details for a user backdoor and whether it has been used?

Thanks
Glyn

jharris 05-14-2003 05:37 AM

What time/date was the backdoor directory created? Is there anything listed from last backdoor? You'll probably get more responses on this thread if its in the security forum. I'll request its moved for you.

cheers

Jamie...

jharris 05-14-2003 05:39 AM

If you have been cracked then you might find some of the following useful reading. (Shamelessly pasted from one of Unspawn's emails :D)

- "UNIX Security Checklist v2.0"
http://www.cert.org/tech_tips/unix_s...cklist2.0.html
- "The Twenty Most Critical Internet Security Vulnerabilities"
http://www.sans.org/top20/
- "Steps for Recovering from a UNIX or NT System Compromise"
http://www.cert.org/tech_tips/root_compromise.html
- "Collecting Electronic Evidence After A System Compromise"
http://national.auscert.org.au/rende...=2247&cid=2997

cheers

Jamie...

MasterC 05-14-2003 06:29 AM

/home/backdoor would suggest (to me) that user "backdoor" exists. Check /etc/passwd and post up the corresponding entry if it exists as well.

Cool

glyn_walters 05-14-2003 12:33 PM

Thanks for the replies. I will read through the links. The entry in /etc/passwd is

backdoor:x:0:503::/home/backdoor:/bin/bash

MasterC 05-14-2003 12:52 PM

Ooohhh... That really doesn't look good. Read over those links, take your system offline if you care about it...
It appears, to me, to have a UID of 0. This is root's uid. If a user has a uid of 0 the user is "seen" by your system as root himself (which is bad).

If you don't have a root password, create one. If you have one, change it. Read those links above, and uh, good luck ;)

Cool

Mara 05-15-2003 12:29 PM

Moving this post to Security...


All times are GMT -5. The time now is 05:52 PM.