troot ID (RHEL v5.4)
I have a handful of remote servers where I discovered an ID named troot that has root privileges. Remote logon is disabled.
I'm trying to determine if this is an ID that has to be manually created or are there any known applications or processes within Linux that may create this ID? |
Quote:
- Remote login could have been disabled afterwards, no way to tell. Quote:
- check 'chage' details for the account. - Account creation gets logged (PAM) so check your /var/log/secure . If the log (and archived ones) don't go far enough back check your /etc/logrotate.d/ settings. - Find files on the system with group and user Id "troot". - Account usage gets logged (PAM) so check your wtmp ('last'), /var/log/secure and for example /var/log/cron. |
All times are GMT -5. The time now is 05:49 PM. |