LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-25-2004, 06:57 PM   #1
deft
Member
 
Registered: Jan 2004
Location: Scotland
Distribution: Ubunto 7.10
Posts: 122

Rep: Reputation: 15
Where did this user come from?????


Hi All

I recently connected to the Internet ( dial-up ) my sytem is, RedHat9 and I use FireStarter as a firewall, I connected to my Yahoo mail account and my computer starting running very slow. I disconnected & reconnected countless times, nothing changed??? I then done cat /var/log/secure and found I had a new user and a new group, this the output..... - -

Mar 24 17:33:40 localhost sshd[3437]: Server listening on 0.0.0.0 port 22.
Mar 24 17:40:52 localhost sshd[3437]: Received signal 15; terminating.
Mar 25 16:05:24 localhost useradd[6298]: new group: name=wnn, gid=49
Mar 25 16:05:24 localhost useradd[6298]: new user: name=wnn, uid=49, gid=49, home=/home/wnn, shell=/bin/bash

I have no idea where this user or group came from, can anyone help?


Many thx in advance.


deft
 
Old 03-25-2004, 10:59 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
The user wnn can be a normal system user in RH9, as shown here. However, if you look closely at the link, everything seems normal (uid,gid,default shell) except that the home directory seems abnormal (/home/wnn vs /var/lib/wnn) which is troublesome.

I believe the user wnn is required for language software that performs network extensible Japanese character conversion (like freewnn). Did you recently install anything like that? If you don't know, try checking your rpm database with:

rpm -qa | grep wnn

or maybe a up2date/yum addition? Check the logs of those in /var/log if you use either one to auto-update software.

Aside from that, have you checked root's .bash_history for anything around that time period that might be informative. Checkout /home/wnn and see what that turns up (esp take a look at wnn's .bash_history as well).

In general, take a close look at your other log files for anything abnormal, look at /etc/passwd for any other abnormal users or users w/ a uid/gid of 0. Take a look at the output of netstat -pantu and lsof -i to see if you have any abnormal services or backdoors listening and take a look at the outout of ps -aux. You could also download and run chkrootkit as well.

By itself, I don't think it's definitive of anything. Could be normal, but it does seem slightly suspicious.
 
Old 03-26-2004, 07:21 AM   #3
deft
Member
 
Registered: Jan 2004
Location: Scotland
Distribution: Ubunto 7.10
Posts: 122

Original Poster
Rep: Reputation: 15
Thanks Capt'n.. I recently updated my system using Synaptic, and it is very well possible that I may have accidently installed this program, or one of it's components. I done a "rpm -qa | grep wnn" which returned nothing and as far network connections to foreign hosts go ( netstat -pantu, lsof -i ) everything appears to ok.. I just checked via Synaptic as to which programs I have installed, I appear to have the followng programs installed,

FreeWnn-libs, FreeWnn-devel, Wnn6-SDK, FreeWnn-common

I have no idea what these programs are??? Though I will be going to check as soon as I have posted this : )

Capt'n thank you for your time...


deft

Last edited by deft; 03-26-2004 at 07:24 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Load kde profile from /mnt/removable/user instead of /home/user preacher.ca Linux - General 3 12-02-2005 03:00 PM
Samba -- XP user can log in to shares but smbclient user always gets password errors ejoe Linux - Software 3 04-18-2005 10:55 AM
grant user access to /fat-c & copying users' preferences to another user n0x Linux - Newbie 1 07-04-2004 12:04 AM
Games runs slow as normal user, but fast as root user mcore Linux - Software 2 06-07-2004 11:11 PM
Pleasehelp with proftpd.conf - trying to config user to write files as other user. philg Linux - Software 1 06-21-2003 12:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration