LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-23-2006, 05:39 AM   #1
unkn0wn
Member
 
Registered: Mar 2006
Posts: 60

Rep: Reputation: 15
Some sec problems


I have some trouble .

# grep nobody /etc/passwd
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

Is this normal?
because i see in su.log i see

SU 05/10 06:25 + ??? root-nobody
SU 05/11 06:25 + ??? root-nobody
SU 05/12 06:25 + ??? root-nobody
SU 05/13 06:25 + ??? root-nobody
SU 05/14 06:25 + ??? root-nobody

authlog:

Oct 23 06:25:01 web su[6157]: + ??? root:nobody

Is that normal.
 
Old 10-23-2006, 07:44 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
As far as I know it's supposed to have an UID and GID of 99 and shell set to something inert like /bin/false or /sbin/nologin.


SU 05/13 06:25 + ??? root-nobody
SU 05/14 06:25 + ??? root-nobody


Oct 23 06:25:01 web su[6157]: + ??? root:nobody[/i]
Observe how the rate is consistent: once per day, same time. I'd look at scheduled jobs first.
 
Old 10-23-2006, 11:31 AM   #3
mossy
Member
 
Registered: Aug 2003
Location: USexIRL
Distribution: *nix
Posts: 849

Rep: Reputation: 30
also try to find out if there are any processes running as 'nobody' after it authenticates.
 
Old 10-24-2006, 01:37 AM   #4
unkn0wn
Member
 
Registered: Mar 2006
Posts: 60

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by mossy
also try to find out if there are any processes running as 'nobody' after it authenticates.
How can i do that. I am new around linux . Some tips?
 
Old 02-20-2007, 07:44 AM   #5
mossy
Member
 
Registered: Aug 2003
Location: USexIRL
Distribution: *nix
Posts: 849

Rep: Reputation: 30
<CODE>
ps -ef | grep nobody
</CODE>

To be honest it looks pretty bad that the 'nobody' uid has a shell and someone using it has been successful in su-ing to root. At that point I would consider the box compromised and would not trust any of the output from the system's commands (eg: ls, ps, w, etc). They were probably replaced with hacked/modified versions of the commands that conceal the cracker.
 
Old 02-20-2007, 08:44 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
To be honest it looks pretty bad that the 'nobody' uid has a shell
Entry seems typical for (whatever release of at least) Debian. Please don't resurrect stale threads (older than say 3 months).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Mandrake 10 Internet very slow (<1kb/sec) while windows got 50k/sec SafeTechs Mandriva 13 09-01-2006 04:07 PM
more complaints to the SEC jailbait General 1 06-22-2004 03:00 PM
Windows 98 sec the best? Mannyakatheman General 24 11-19-2003 07:03 PM
IP Sec Redhat 9 martini_drinker Linux - Security 2 07-25-2003 02:57 PM
hdparm 64MB in 19.68 sec=3.25 MB/sec illtbagu Linux - General 11 06-26-2003 07:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration