The "anus" account: Have I been hacked?
msperrin at u.washington.edu
Tue Sep 26 13:14:37 PDT 2000
when in doubt, assume the worst.
Other things to check for, when you're worried about it, are:
if you haven't touched the /etc/shadow file, check to see what other
files in the /etc, /lib /usr/lib, /sbin, /bin, directories have modified
dates around the same time (almost the exact same time if it was a
If you don't need the machine for a couple of hours, I'd just reformat it,
and do a re-install...
If you're happy and you know it....
On Tue, 26 Sep 2000, Z. Frazier wrote:
> it doesn't look good. my guess would be that your box has been
> compromised. if you have never set up shadowing and that file suddenly
> appears, especially with only one entry with a user name like "anus", you
> are probably in trouble. especially if the machine has been left
> untouched and unpatched for a while, where the latest and greatest bugs
> are still exploitable.
> my guess would be that someone exploited a security hole, and ran a quick
> root kit to erase their tracks and created the shadow file by accident in
> the process. probably by assuming that the machine used a shadow file and
> not checking before running all of their kiddie scripts on the box.
> about the passwd entry,
> first the x in the password field simply means that the password is
> shadowed. the entry is very disturbing because the user is given a user id
> and group id of 0. essentially making them root. not to mention that
> their home directory is / which is very odd... not a good sign.
> add that to the shadow information and it looks bad.
> i by no means consider myself any sort of expert... in fact i am pretty
> new to all of this. so please take everything i say with a grain of salt.
> or three.
> btw, this is my first posting here... although i have been reading for a
> little while now. and i think this is a great resource. thanks.
> Zach Frazier
> zfrazier at u.washington.edu
> On Tue, 26 Sep 2000, Dan Sanderson wrote:
> > I knew I was asking for trouble for leaving a machine unattended. I'm
> > aware of what I should be doing (that I'm not) to keep my box secure;
> > right now I'm mostly interested in quickly identifying if my system has
> > been compromised, i.e. if this is a result of a known attack/script, or
> > perhaps a known harmless side effect of installing a particular piece of
> > software.
> > I found this at the end of my /etc/passwd file (implying that it was
> > added after the several user accounts were created):
> > anus:x:0:0:anus:/:/bin/bash
> > (There is no "anus" group.)
> > Grepping around reveals the file /etc/shadow has been created (this
> > machine doesn't currently use shadow passwords) containing the following
> > line:
> > anus::15232::::::
> > There's nothing in the logs, but that doesn't mean anything given that
> > this machine went unattended for so long.
> > Is it likely that I've been hacked? Or is this perhaps an
> > account that something I may have installed created? Does anyone
> > recognize this?
> > The password field was set to "x". Does this mean that it does not work
> > as a login shell (has no valid password)? It's not "*". Does "x" mean
> > something else?
> > I've always been aware that this machine was getting no attention, and
> > completely reinstalling the entire thing, properly securing it based on
> > all the usual advice, docs and books, has been my #1 priority for the box.
> > Unfortunately, the box as a whole hasn't been a priority in my life, but I
> > had a (trusted non-geek but-smart-enough-to-change-his-password) friend
> > that was using it for a while for email, and to serve several static web
> > pages, so I left it up. Perhaps it's time to take it down, archive my
> > friend's data, and rebuild it properly. Even if this isn't a hack.
> > The machine is down until I get a response. Many thanks for any
> > assistance you can provide!
> > -- Dan
More information about the Linux