LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-02-2007, 09:22 AM   #1
namit
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 355

Rep: Reputation: 30
new user i did not add


Hey all i was just looking threw and found a users on my server in /etc/passwd and its

-:x:1016:100::/home/-:

I did not create this user - can can not seam to delete it

should i be worried
 
Old 01-02-2007, 09:40 AM   #2
timmeke
Senior Member
 
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515

Rep: Reputation: 61
Computer security is never 100% perfect, so you should also be a little "worried" about it

Before you continue, disconnect your computer from the network/internet to make sure that nobody can access it from the internet (just as a precaution). Then, try to find if that specific user '-' owns some files/directories, look at logfiles, run "rootkithunter", ...

The username '-' isn't very common, so I doubt if it is created by a software package that was installed.

Maybe the user was created by mistake (ie a "useradd" command with incorrect syntax may have led to the creation of the user) or maybe the user was created by someone else who has access to your computer (not necessarily with bad intentions).

You could also:
1. Disable the account to see what happens (ie block logins).
2. Rename the username '-' to something else.
3. Delete the account altogether using 'userdel'.
 
Old 01-02-2007, 11:34 AM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
namit, I'd be concerned. Are you the only admin on the box? If not, check with the other admins to find out how it got there (maybe they added it for some strange reason). If so, the other possibility is that a daemon installation added it. However: I find that very unlikely -- as was noted "-" is not exactly a normal name.

You can use the w command to see if this character is logged on at the moment. I'd also check to see if he's running any processes with something like ps -ef | grep '^-'

If processes are running under that account, what are they?

I would second the advice about searching for files he owns and also running rkhunter. I'd also lock his account with passwd -l '-' (I think that should work.. edit: no, it won't. you may need to just disable the account directly by adding a * to the beginning of the hash field in /etc/shadow. be careful in there.).

Let us know what you find out.

Last edited by anomie; 01-02-2007 at 11:37 AM.
 
Old 01-02-2007, 01:19 PM   #4
namit
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 355

Original Poster
Rep: Reputation: 30
there are no processes that he/she/it is running but what about finding all files it owns whats best way of doing this?

as for security i have it that only i can 2 other users can ssh into the machine so i should be ok.

I am the only user

as for deleting the user i just went into the /etc/shadow and removed that line was that clever i have never had to edit this file.

what is the difference between shadow and passwd? does passwd just hold the list and shadow hold the password?

Last edited by namit; 01-02-2007 at 01:21 PM.
 
Old 01-02-2007, 03:26 PM   #5
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
We see that this "user" has an ID of 1016 so you can do:

find / -uid 1016 -print

The /etc/passwd file must be world readable or things will break, therefore modern *nix systems store the actual encrypted password in a shadow file (/etc/shadow for most system or /etc/master.passwd for the BSDs). The shadow file also stores a couple other odds and ends like account expire data, last password change, etc.
 
Old 01-02-2007, 06:22 PM   #6
namit
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 355

Original Poster
Rep: Reputation: 30
sweet thanks for that everything seams to be ok but will keep an eye on logins.
 
Old 01-03-2007, 02:48 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
everything seams to be ok
You should make certain everything *is* OK, not regard "seems OK" as good enough because it isn't.
 
  


Reply

Tags
user


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to list user in Linux box, add an user to a group! steady_lfcfan Linux - Newbie 12 01-27-2013 01:14 PM
samba - add user script - User account does not exist itzamecwp Linux - Server 2 01-18-2007 10:52 PM
user home dir doesn't create when new user add dev_mohamed Linux - Software 3 01-12-2007 01:08 AM
How to Enable User or Add New User omeryasin Linux - Software 3 10-29-2005 05:16 AM
Help! Cannot Add a User to User Manager or Change Root Password lennysokol Linux - General 2 06-25-2005 09:59 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration