Hi All

I recently connected to the Internet ( dial-up ) my sytem is, RedHat9 and I use FireStarter as a firewall, I connected to my Yahoo mail account and my computer starting running very slow. I disconnected & reconnected countless times, nothing changed??? I then done cat /var/log/secure and found I had a new user and a new group, this the output..... - -

Mar 24 17:33:40 localhost sshd[3437]: Server listening on 0.0.0.0 port 22.
Mar 24 17:40:52 localhost sshd[3437]: Received signal 15; terminating.
Mar 25 16:05:24 localhost useradd[6298]: new group: name=wnn, gid=49
Mar 25 16:05:24 localhost useradd[6298]: new user: name=wnn, uid=49, gid=49, home=/home/wnn, shell=/bin/bash

I have no idea where this user or group came from, can anyone help?


Many thx in advance.


deft

The user wnn can be a normal system user in RH9, as shown here. However, if you look closely at the link, everything seems normal (uid,gid,default shell) except that the home directory seems abnormal (/home/wnn vs /var/lib/wnn) which is troublesome.

I believe the user wnn is required for language software that performs network extensible Japanese character conversion (like freewnn). Did you recently install anything like that? If you don't know, try checking your rpm database with:

rpm -qa | grep wnn

or maybe a up2date/yum addition? Check the logs of those in /var/log if you use either one to auto-update software.

Aside from that, have you checked root's .bash_history for anything around that time period that might be informative. Checkout /home/wnn and see what that turns up (esp take a look at wnn's .bash_history as well).

In general, take a close look at your other log files for anything abnormal, look at /etc/passwd for any other abnormal users or users w/ a uid/gid of 0. Take a look at the output of netstat -pantu and lsof -i to see if you have any abnormal services or backdoors listening and take a look at the outout of ps -aux. You could also download and run chkrootkit as well.

By itself, I don't think it's definitive of anything. Could be normal, but it does seem slightly suspicious.

Thanks Capt'n.. I recently updated my system using Synaptic, and it is very well possible that I may have accidently installed this program, or one of it's components. I done a "rpm -qa | grep wnn" which returned nothing and as far network connections to foreign hosts go ( netstat -pantu, lsof -i ) everything appears to ok.. I just checked via Synaptic as to which programs I have installed, I appear to have the followng programs installed,

FreeWnn-libs, FreeWnn-devel, Wnn6-SDK, FreeWnn-common

I have no idea what these programs are??? Though I will be going to check as soon as I have posted this : )

Capt'n thank you for your time...


deft