LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-14-2008, 09:12 PM   #1
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 179

Rep: Reputation: 17
rpc user??


I am fairly new to linux and successfully setup a server to act as a file and ftp server. I recently looked at the /etc/passwd file an noticed new users that I didnt create. I dont know if they were done automatically by an update or if someone is tring to use the box.

rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin


That shows up in my /etc/passwd file, the uid does not go in order with my other users:

tedims:x:509:513:Ted Ims:/ftp/:/bin/bash
brizm:x:510:514::/ftp/:/bin/bash
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
griera1:x:511:515::/ftp/:/bin/bash

Is this a possible attack?? With very little knowledge of rpc it seems like it could be.

Thanks
 
Old 01-14-2008, 09:30 PM   #2
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
No, by itself it's pretty normal. Slackware also has that in a default install. As you can see it doesn't have a usable shell (/sbin/nologin, or /bin/false in my case) so the account can't be used to login. If you're not doing anything with NFS, the account probably won't be used by the system for anything either.
Code:
rpc:x:32:32:RPC portmap user:/:/bin/false
 
Old 01-15-2008, 10:27 PM   #3
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 179

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by gilead View Post
No, by itself it's pretty normal. Slackware also has that in a default install. As you can see it doesn't have a usable shell (/sbin/nologin, or /bin/false in my case) so the account can't be used to login. If you're not doing anything with NFS, the account probably won't be used by the system for anything either.
Code:
rpc:x:32:32:RPC portmap user:/:/bin/false
Is it also normal to see this in /var/log/secure
(savone is me, but I didnt enter these commands)

Jan 13 08:27:38 bighat su: pam_unix(su-l:session): session opened for user root by
savone(uid=500)
Jan 13 08:30:46 bighat userdel[27647]: delete user `rpc'
Jan 13 08:30:46 bighat userdel[27647]: removed group `rpc' owned by `rpc'
Jan 13 08:30:49 bighat groupadd[27654]: new group: name=rpc, GID=32
Jan 13 08:30:49 bighat useradd[27658]: new user: name=rpc, UID=32, GID=32,
home=/var/lib/rpcbind, shell=/sbin/nologin
Jan 13 08:54:29 bighat su: pam_unix(su-l:session): session closed for user root
 
Old 01-15-2008, 10:41 PM   #4
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
It looks like you removed and re-installed the package that requires the rpc user. Were you doing system maintenance at the time?
 
Old 01-15-2008, 10:45 PM   #5
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 179

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by gilead View Post
It looks like you removed and re-installed the package that requires the rpc user. Were you doing system maintenance at the time?

Looks like I did a yum update, this is from the yum.log


Jan 13 08:28:44 Updated: bash - 3.2-19.fc8.i386
Jan 13 08:28:46 Updated: libxml2 - 2.6.31-1.fc8.i386
Jan 13 08:28:48 Updated: mesa-libGL - 7.0.2-2.fc8.i386
Jan 13 08:28:51 Updated: selinux-policy - 3.0.8-73.fc8.noarch
Jan 13 08:28:51 Installed: htmlview - 4.0.0-3.fc7.noarch
Jan 13 08:29:15 Updated: selinux-policy-devel - 3.0.8-73.fc8.noarch
Jan 13 08:29:56 Updated: selinux-policy-targeted - 3.0.8-73.fc8.noarch
Jan 13 08:29:57 Updated: mesa-libGLU - 7.0.2-2.fc8.i386
Jan 13 08:29:57 Updated: libtirpc - 0.1.7-14.fc8.i386
Jan 13 08:29:58 Updated: pciutils - 2.2.9-1.fc8.i386
Jan 13 08:30:45 Updated: evolution - 2.12.2-3.fc8.i386
Jan 13 08:30:46 Updated: libutempter - 1.1.5-1.fc8.i386
Jan 13 08:30:46 Updated: libtheora - 1.0beta2-3.fc8.i386
Jan 13 08:30:50 Updated: rpcbind - 0.1.4-12.fc8.i386
Jan 13 08:30:50 Updated: glx-utils - 7.0.2-2.fc8.i386
Jan 13 08:30:51 Updated: libxml2-python - 2.6.31-1.fc8.i386
Jan 13 08:31:01 Updated: nautilus-sendto - 0.12-5.fc8.i386
Jan 13 08:31:05 Updated: transmission - 1.00-1.fc8.i386
Jan 13 08:31:06 Updated: wpa_supplicant - 1:0.5.7-21.fc8.i386
Jan 13 08:31:07 Updated: sudo - 1.6.9p4-3.fc8.i386
Jan 13 08:31:07 Updated: pycairo - 1.4.12-1.fc8.i386
Jan 13 08:31:08 Updated: scim-hangul - 0.3.2-1.fc8.i386
Jan 13 08:31:11 Updated: doxygen - 1:1.5.4-1.fc8.i386
Jan 13 08:31:11 Updated: scim-chewing - 0.3.1-10.fc8.i386
Jan 13 08:31:12 Updated: psmisc - 22.6-2.fc8.i386
Jan 13 08:31:14 Updated: system-config-network-tui - 1.4.7-1.fc8.noarch
Jan 13 08:31:16 Updated: system-config-network - 1.4.7-1.fc8.noarch
 
Old 01-15-2008, 11:08 PM   #6
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
Based on the time stamps and the name (rpcbind - 0.1.4-12.fc8.i386) I'd say updating rpcbind caused it.

I'm not familiar with yum, but you should be able to use it (or one of the tools it came with) to verify that's the case.
 
  


Reply

Tags
rpc


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NFS RPC: Port mapper failure - RPC: Unable to receive KEJP Linux - Networking 6 12-18-2006 03:14 AM
mountd time out: "mount_nfs: bad MNT RPC: RPC: Timed out" on client brush Debian 1 10-15-2006 03:01 PM
rpc.idmapd cannot find user nobody aznluvsmc Fedora 1 09-30-2005 11:59 PM
rpc.lockd & rpc.statd twantrd Linux - General 1 05-21-2005 10:24 AM
Unmounting NFS filesystems: Cannot MOUNTPROG RPC: RPC ErnstVikenstein Linux - General 4 05-31-2003 01:10 AM


All times are GMT -5. The time now is 02:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration