LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-14-2003, 05:33 AM   #1
glyn_walters
LQ Newbie
 
Registered: May 2003
Posts: 2

Rep: Reputation: 0
/home/backdoor


Hi.

I am a linux newbie so sorry if these are standard *nix questions.

I have a public facing linux server and I notice there is a /home/backdoor directory alongside /home directories for other users that have logged in. It sounds dodgy to me. Is there any way I can find out whether there are login details for a user backdoor and whether it has been used?

Thanks
Glyn
 
Old 05-14-2003, 05:37 AM   #2
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
What time/date was the backdoor directory created? Is there anything listed from last backdoor? You'll probably get more responses on this thread if its in the security forum. I'll request its moved for you.

cheers

Jamie...
 
Old 05-14-2003, 05:39 AM   #3
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
If you have been cracked then you might find some of the following useful reading. (Shamelessly pasted from one of Unspawn's emails )

- "UNIX Security Checklist v2.0"
http://www.cert.org/tech_tips/unix_s...cklist2.0.html
- "The Twenty Most Critical Internet Security Vulnerabilities"
http://www.sans.org/top20/
- "Steps for Recovering from a UNIX or NT System Compromise"
http://www.cert.org/tech_tips/root_compromise.html
- "Collecting Electronic Evidence After A System Compromise"
http://national.auscert.org.au/rende...=2247&cid=2997

cheers

Jamie...
 
Old 05-14-2003, 06:29 AM   #4
MasterC
Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Rep: Reputation: 64
/home/backdoor would suggest (to me) that user "backdoor" exists. Check /etc/passwd and post up the corresponding entry if it exists as well.

Cool
 
Old 05-14-2003, 12:33 PM   #5
glyn_walters
LQ Newbie
 
Registered: May 2003
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks for the replies. I will read through the links. The entry in /etc/passwd is

backdoor:x:0:503::/home/backdoor:/bin/bash
 
Old 05-14-2003, 12:52 PM   #6
MasterC
Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Rep: Reputation: 64
Ooohhh... That really doesn't look good. Read over those links, take your system offline if you care about it...
It appears, to me, to have a UID of 0. This is root's uid. If a user has a uid of 0 the user is "seen" by your system as root himself (which is bad).

If you don't have a root password, create one. If you have one, change it. Read those links above, and uh, good luck

Cool
 
Old 05-15-2003, 12:29 PM   #7
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,539

Rep: Reputation: 149Reputation: 149
Moving this post to Security...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Backdoor Installed Possibly? sovietpower Linux - Security 3 09-04-2004 08:20 AM
Yet another backdoor for IE.... r_jensen11 General 11 06-29-2004 12:31 PM
My Backdoor Debian Install ClayOgre Debian 9 06-20-2003 09:38 AM
backdoor im1crazyassmofo Linux - General 3 01-16-2003 07:54 PM
SSH 2 as a backdoor? help me fenris@bu Linux - Security 3 05-24-2001 01:12 PM


All times are GMT -5. The time now is 09:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration