[Plug-security] Once cracked
Carl Parrish
plug-security@lists.PLUG.phoenix.az.us
Mon, 10 Sep 2001 15:45:20 -0700
operator. still haven't seen anything done by it. if it wasn't a member
of the root group I would just assume something I installed put it
there. I've tried using last or su ing to opertor then pulling history
but so far nothing. It would be nice if I didn't have to wipe my
computer but at this point I'm thinking better safe than sorry. So if
anyone knows why operator would be there please let me know.
Carl P.
James wrote:
>What was the users name?
>
>On Monday 10 September 2001 09:06 am, you wrote:
>
>>Okay the reason I think I've been cracked is that there is a user found
>>in /etc/passwd that I've never created and is a member of the root grp.
>>When I look under linuxconf this user doesn't show up. Now I'm thinking
>>its "possible" that something I installed created this user. but how
>>would I find that out? and why would it need to be a member of the root
>>grp? I don't have telnet, sendmail, bash, or ftp running on my box. I do
>>allow IRC and as far as I know that's the *only* way someone could get
>>in. I'm not running IP tables like I should though. So far haven't seen
>>anything malious on my machine. but you never know. Thanks for the ideas
>>so far. I'll be looking them over to see if I can figure it all out. but
>>if I haven't found out how they did it by the end of the day I'm just
>>going to wipe it all.
>>
>>Carl P.
>>
>>
>>_______________________________________________
>>Plug-security mailing list - Plug-security@lists.PLUG.phoenix.az.us
>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security
>>
>_______________________________________________
>Plug-security mailing list - Plug-security@lists.PLUG.phoenix.az.us
>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security
>