Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-23-2006, 05:39 AM
|
#1
|
Member
Registered: Mar 2006
Posts: 60
Rep:
|
Some sec problems
I have some trouble .
# grep nobody /etc/passwd
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
Is this normal?
because i see in su.log i see
SU 05/10 06:25 + ??? root-nobody
SU 05/11 06:25 + ??? root-nobody
SU 05/12 06:25 + ??? root-nobody
SU 05/13 06:25 + ??? root-nobody
SU 05/14 06:25 + ??? root-nobody
authlog:
Oct 23 06:25:01 web su[6157]: + ??? root:nobody
Is that normal.
|
|
|
10-23-2006, 07:44 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
As far as I know it's supposed to have an UID and GID of 99 and shell set to something inert like /bin/false or /sbin/nologin.
SU 05/13 06:25 + ??? root-nobody
SU 05/14 06:25 + ??? root-nobody
Oct 23 06:25:01 web su[6157]: + ??? root:nobody[/i]
Observe how the rate is consistent: once per day, same time. I'd look at scheduled jobs first.
|
|
|
10-23-2006, 11:31 AM
|
#3
|
Member
Registered: Aug 2003
Location: USexIRL
Distribution: *nix
Posts: 849
Rep:
|
also try to find out if there are any processes running as 'nobody' after it authenticates.
|
|
|
10-24-2006, 01:37 AM
|
#4
|
Member
Registered: Mar 2006
Posts: 60
Original Poster
Rep:
|
Quote:
Originally Posted by mossy
also try to find out if there are any processes running as 'nobody' after it authenticates.
|
How can i do that. I am new around linux . Some tips?
|
|
|
02-20-2007, 07:44 AM
|
#5
|
Member
Registered: Aug 2003
Location: USexIRL
Distribution: *nix
Posts: 849
Rep:
|
<CODE>
ps -ef | grep nobody
</CODE>
To be honest it looks pretty bad that the 'nobody' uid has a shell and someone using it has been successful in su-ing to root. At that point I would consider the box compromised and would not trust any of the output from the system's commands (eg: ls, ps, w, etc). They were probably replaced with hacked/modified versions of the commands that conceal the cracker.
|
|
|
02-20-2007, 08:44 AM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
To be honest it looks pretty bad that the 'nobody' uid has a shell
Entry seems typical for (whatever release of at least) Debian. Please don't resurrect stale threads (older than say 3 months).
|
|
|
All times are GMT -5. The time now is 03:01 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|