Some sec problems

unkn0wn · 10-23-2006, 05:39 AM

I have some trouble .

# grep nobody /etc/passwd
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

Is this normal?
because i see in su.log i see

SU 05/10 06:25 + ??? root-nobody
SU 05/11 06:25 + ??? root-nobody
SU 05/12 06:25 + ??? root-nobody
SU 05/13 06:25 + ??? root-nobody
SU 05/14 06:25 + ??? root-nobody

authlog:

Oct 23 06:25:01 web su[6157]: + ??? root:nobody

Is that normal.

unSpawn · 10-23-2006, 07:44 AM

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
As far as I know it's supposed to have an UID and GID of 99 and shell set to something inert like /bin/false or /sbin/nologin.

SU 05/13 06:25 + ??? root-nobody
SU 05/14 06:25 + ??? root-nobody

Oct 23 06:25:01 web su[6157]: + ??? root:nobody[/i]
Observe how the rate is consistent: once per day, same time. I'd look at scheduled jobs first.

mossy · 10-23-2006, 11:31 AM

also try to find out if there are any processes running as 'nobody' after it authenticates.

unkn0wn · 10-24-2006, 01:37 AM

Quote:

Originally Posted by mossy

also try to find out if there are any processes running as 'nobody' after it authenticates.

How can i do that. I am new around linux . Some tips?

mossy · 02-20-2007, 07:44 AM

<CODE>
ps -ef | grep nobody
</CODE>

To be honest it looks pretty bad that the 'nobody' uid has a shell and someone using it has been successful in su-ing to root. At that point I would consider the box compromised and would not trust any of the output from the system's commands (eg: ls, ps, w, etc). They were probably replaced with hacked/modified versions of the commands that conceal the cracker.

unSpawn · 02-20-2007, 08:44 AM

To be honest it looks pretty bad that the 'nobody' uid has a shell
Entry seems typical for (whatever release of at least) Debian. Please don't resurrect stale threads (older than say 3 months).