[clug] RE: linux Digest, Vol 24, Issue 11

[Francis Whittle]

On Sat, 2004-12-11 at 01:15 +1100, John Fletcher wrote:
> Hey guys,
> This morning I got woken up by a call from web developers that couldn't
> access our SUSE 9.2 box.  I tried to log in and couldn't.  Thankfully we are
> running Webmin and I was able to log in and determine that the /etc/passwd
> file had been reduced to the following
> +::::::
> or something similar; and I was able to restore the original and everything
> was fine again.
> 
> Now obviously only root can do this.  What I'm wondering is whether there is
> some kind of 'rogue process' explanation of such weird behaviour or has my
> box been hacked by someone who thinks he's really funny?  If so is there
> anything I can do now that might give me an idea of whether a malicious user
> was present?  I mean I looked into the history list and also the syslog from
> which I determined that it happened between 11pm and midnight (while I was
> working on the box... hmmm...).  I don't know what to think...
> 
> Fletch.
> 

It's the NIS dæmons!  Maliciously turning all your machines into
yellowpages (Sun yp, or NIS1, not the list of advertisers) clients!
Interestingly enough, my /etc/passwd contains just a pile of system
users and that line.  But it's for a reason (Dad likes insecure network
authentication protocols that lock up Solaris if there's no master
server present, or something).

Seriously, you were working on the box at the time and it didn't
spontaneously tell you that you didn't exist?  (I love it when a
fileutils program does that.  "ls"  "You don't exist, go away") Were you
*logged in* as root or something?

If you have any reports of someone logging out who was't logged in, that
might indicate a malicious user, but that may have been masked by the
modified /etc/passwd.  You might also want to check stuff
like /etc/yp.conf too.

Also, it is concerning that webmin let you log in without a webmin user
defined in your users database....