Subject: Re: HELP! someone is in my NetBSD box!
To: Niels S.Eliasen <nse@ruc.dk>
From: Jaka Jejcic <jj@gnorw.net>
List: current-users
Date: 04/08/2004 23:27:13
I really think there is nothing wrong with you comp.
toor is completely normal account found on all default NetBSD systems.
It is a UID 0 account but with a bourne shell set as default.
lastlogx also is normal for a NetBSD system.
Lets go back to that make... it is the only problem not solved yet.
jj
On Thu, Apr 08, 2004 at 11:17:21PM +0200, Niels S.Eliasen wrote:
> The lastlog was renamed on the 22-jan-2004 to lastlogx ....
> And the "busy" passwd file I got rid off by using "vipw" as opposed to
> "passwd root"
> Which .... incidently revealed a new user "toor" (root backwards)
>
> Den 8/4-2004, kl. 22.41, skrev Jaka Jejcic:
>
> >On Thu, Apr 08, 2004 at 10:22:02PM +0200, Niels S.Eliasen wrote:
> >>Have taken ethernet off, done....
> >>Well... looks the gury have had on h... of a time... the system was
> >>by-the-looks of it compromised the 22-Jan-2004... at that time the
> >>accounting file got wiped... and apparently the super user has this
> >>entry "Charlie &" in the comment filed and daemon has "the devil
> >>himself" .....
> >
> >Well 'Charlie &' and 'The devil himself' are usual names for 'root' and
> >'daemon'.
> >What should by-the-look of it mean? How do you tell it was 22-Jan-2004?
> >Maybe it was just a busy password file?
> >
> >jj
> >
> >
> mvh/kind regards
> Niels S. Eliasen
> H?rhavevej 1
> DK-4250, Fuglebjerg
> Tel/Cell: +45 46 32 85 27 +45 21 77 95 90
> mailto:Niels.Eliasen@delfi-konsult.com
>