Also look at /etc/shadow and ensure the second field has either an 
unintelligible hash, or a !!, or a *.  Make sure you do not see 
something like this:
root::12648:0:99999:7:::

Two colons in a row after the user name is really bad.

Good:
root:$1$Jjm1PaTt$Vnmn8njIkAJwOAZM9P9DD.:12648:0:99999:7:::

Bad:
root::12648:0:99999:7:::


To preclude a rootkit, you can always boot the box using Knoppix, then 
mount the suspect disk and look at /etc/shadow.

Regards,

George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067

In business, there are always problems.  It's how they are handled
that makes a difference.  Are you happy with your IT Manager?


Technomage wrote:
> On Saturday 15 April 2006 21:40, Bob Holtzman wrote:
> 
>>On Fri, 14 Apr 2006, Jason Spatafore wrote:
>>
>>>2. Check /etc/passwd and see if there are any accounts which are
>>>suspicious. Also check to see if there is an account with the UID of "0",
>>>other than root.
>>
>>How about an entry like nobody:x:99:99:Nobody:/:/sbin/nologin?
> 
> 
> thats a normal entry. I have that here on several machines.
> now if it were: nobody:x:0:0:Nobody:/:/bin/sh
> 
> *THEN* I would be concerned!
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
> 
> 
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss