is there an easy way to optain a list of users on my box?

bripage · 09-25-2002, 09:12 PM

I need to know if any users have been added to my box without me knowing. The only way that I can think of doing that is to acutally look at the file that the users are stored. But i want to know if theres an easier and quicker way. Is there?

akohlsmith · 09-25-2002, 09:26 PM

cut -d: -f 1 /etc/passwd

Realistically you want some kind of Intrusion Detection System, or IDS. Something like fcheck or tripwire will tell you what changed and when, which is much more useful; many rootkits never add another user as it's too easy to detect.

bripage · 09-25-2002, 09:45 PM

I typed that in and this came up :

root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
smmsp
mysql
rpc
gdm
pop
nobody
brian
george

I dont think Im supposed to have all those... Am I? Which ones can I delete, how and how can I check to make sure that I can infact delete them?

akohlsmith · 09-25-2002, 09:54 PM

you need some basic unix training. A lot of those accounts are normal, and even required.

If you cat your /etc/passwd you'll see username:#:#:blahblahblah... the first # is the user ID (UID), and the second is the group ID (GID) -- the big thing to watch out for is that only one, root, has 0:0.

The only other real piece of advice I can give is that on many systems, "real" user accounts (i.e. not machine accounts) start at 1000. anything under that is used by the machine (or added by a rootkit to try and look innocent) :-)

bripage · 09-25-2002, 10:17 PM

Thnx man... I get what your talkin bout exactly now.Thanks again.

peter_robb · 09-26-2002, 05:13 AM

Also, check out the lastlog command.
It will list all the users and the last time they logged in.

Of course, the system user names should NEVER have logged in...

Regards,
Peter

akohlsmith · 09-26-2002, 07:15 AM

The problem with 'last' and friends is that they only track logins -- buffer exploits and the like don't put entries into lastlog.