Also look at /etc/shadow and ensure the second field has either an
unintelligible hash, or a !!, or a *. Make sure you do not see
something like this:
root::12648:0:99999:7:::
Two colons in a row after the user name is really bad.
Good:
root:$1$Jjm1PaTt$Vnmn8njIkAJwOAZM9P9DD.:12648:0:99999:7:::
Bad:
root::12648:0:99999:7:::
To preclude a rootkit, you can always boot the box using Knoppix, then
mount the suspect disk and look at /etc/shadow.
Regards,
George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067
In business, there are always problems. It's how they are handled
that makes a difference. Are you happy with your IT Manager?
Technomage wrote:
> On Saturday 15 April 2006 21:40, Bob Holtzman wrote:
>
>>On Fri, 14 Apr 2006, Jason Spatafore wrote:
>>
>>>2. Check /etc/passwd and see if there are any accounts which are
>>>suspicious. Also check to see if there is an account with the UID of "0",
>>>other than root.
>>
>>How about an entry like nobody:x:99:99:Nobody:/:/sbin/nologin?
>
>
> thats a normal entry. I have that here on several machines.
> now if it were: nobody:x:0:0:Nobody:/:/bin/sh
>
> *THEN* I would be concerned!
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)