Also look at /etc/shadow and ensure the second field has either an unintelligible hash, or a !!, or a *. Make sure you do not see something like this: root::12648:0:99999:7::: Two colons in a row after the user name is really bad. Good: root:$1$Jjm1PaTt$Vnmn8njIkAJwOAZM9P9DD.:12648:0:99999:7::: Bad: root::12648:0:99999:7::: To preclude a rootkit, you can always boot the box using Knoppix, then mount the suspect disk and look at /etc/shadow. Regards, George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 In business, there are always problems. It's how they are handled that makes a difference. Are you happy with your IT Manager? Technomage wrote: > On Saturday 15 April 2006 21:40, Bob Holtzman wrote: > >>On Fri, 14 Apr 2006, Jason Spatafore wrote: >> >>>2. Check /etc/passwd and see if there are any accounts which are >>>suspicious. Also check to see if there is an account with the UID of "0", >>>other than root. >> >>How about an entry like nobody:x:99:99:Nobody:/:/sbin/nologin? > > > thats a normal entry. I have that here on several machines. > now if it were: nobody:x:0:0:Nobody:/:/bin/sh > > *THEN* I would be concerned! > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss