new user i did not add
 

Hey all i was just looking threw and found a users on my server in /etc/passwd and its

-:x:1016:100::/home/-:

I did not create this user - can can not seam to delete it

should i be worried

Computer security is never 100% perfect, so you should also be a little "worried" about it :)

Before you continue, disconnect your computer from the network/internet to make sure that nobody can access it from the internet (just as a precaution). Then, try to find if that specific user '-' owns some files/directories, look at logfiles, run "rootkithunter", ...

The username '-' isn't very common, so I doubt if it is created by a software package that was installed.

Maybe the user was created by mistake (ie a "useradd" command with incorrect syntax may have led to the creation of the user) or maybe the user was created by someone else who has access to your computer (not necessarily with bad intentions).

You could also:
1. Disable the account to see what happens (ie block logins).
2. Rename the username '-' to something else.
3. Delete the account altogether using 'userdel'.

namit, I'd be concerned. Are you the only admin on the box? If not, check with the other admins to find out how it got there (maybe they added it for some strange reason). If so, the other possibility is that a daemon installation added it. However: I find that very unlikely -- as was noted "-" is not exactly a normal name.

You can use the w command to see if this character is logged on at the moment. I'd also check to see if he's running any processes with something like ps -ef | grep '^-'

If processes are running under that account, what are they?

I would second the advice about searching for files he owns and also running rkhunter. I'd also lock his account with passwd -l '-' (I think that should work.. edit: no, it won't. you may need to just disable the account directly by adding a * to the beginning of the hash field in /etc/shadow. be careful in there.).

Let us know what you find out.

there are no processes that he/she/it is running but what about finding all files it owns whats best way of doing this?

as for security i have it that only i can 2 other users can ssh into the machine so i should be ok.

I am the only user

as for deleting the user i just went into the /etc/shadow and removed that line was that clever i have never had to edit this file.

what is the difference between shadow and passwd? does passwd just hold the list and shadow hold the password?

We see that this "user" has an ID of 1016 so you can do:

find / -uid 1016 -print

The /etc/passwd file must be world readable or things will break, therefore modern *nix systems store the actual encrypted password in a shadow file (/etc/shadow for most system or /etc/master.passwd for the BSDs). The shadow file also stores a couple other odds and ends like account expire data, last password change, etc.

sweet thanks for that everything seams to be ok but will keep an eye on logins.

everything seams to be ok
You should make certain everything *is* OK, not regard "seems OK" as good enough because it isn't.