The "anus" account: Have I been hacked?

[M. Scholz]

when in doubt, assume the worst.

Other things to check for, when you're worried about it, are:
if you haven't touched the /etc/shadow file, check to see what other
files in the /etc, /lib /usr/lib, /sbin, /bin, directories have modified
dates around the same time (almost the exact same time if it was a
scripted attack)...

If you don't need the machine for a couple of hours, I'd just reformat it,
and do a re-install...



	If you're happy and you know it....

-Matthew Scholz

On Tue, 26 Sep 2000, Z. Frazier wrote:

> hmmm...
> 
> it doesn't look good.  my guess would be that your box has been
> compromised.  if you have never set up shadowing and that file suddenly
> appears, especially with only one entry with a user name like "anus", you
> are probably in trouble.  especially if the machine has been left
> untouched and unpatched for a while, where the latest and greatest bugs
> are still exploitable.
> 
> my guess would be that someone exploited a security hole, and ran a quick
> root kit to erase their tracks and created the shadow file by accident in
> the process. probably by assuming that the machine used a shadow file and
> not checking before running all of their kiddie scripts on the box.
> 
> about the passwd entry,
> 
> first the x in the password field simply means that the password is
> shadowed. the entry is very disturbing because the user is given a user id
> and group id of 0.  essentially making them root.  not to mention that
> their home directory is / which is very odd...  not a good sign.
> 
> 
> add that to the shadow information and it looks bad.
> 
> .............
> 
> i by no means consider myself any sort of expert... in fact i am pretty
> new to all of this.  so please take everything i say with a grain of salt.
> or three.
> 
> btw, this is my first posting here... although i have been reading for a
> little while now.  and i think this is a great resource.  thanks.
> 
> -zach
> 
> Zach Frazier
> zfrazier at u.washington.edu
> 
> On Tue, 26 Sep 2000, Dan Sanderson wrote:
> 
> > 
> > I knew I was asking for trouble for leaving a machine unattended.  I'm
> > aware of what I should be doing (that I'm not) to keep my box secure;
> > right now I'm mostly interested in quickly identifying if my system has
> > been compromised, i.e. if this is a result of a known attack/script, or
> > perhaps a known harmless side effect of installing a particular piece of
> > software.
> > 
> > I found this at the end of my /etc/passwd file (implying that it was
> > added after the several user accounts were created):
> >   anus:x:0:0:anus:/:/bin/bash
> > 
> > (There is no "anus" group.)
> > 
> > Grepping around reveals the file /etc/shadow has been created (this
> > machine doesn't currently use shadow passwords) containing the following
> > line:
> >   anus::15232::::::
> > 
> > There's nothing in the logs, but that doesn't mean anything given that
> > this machine went unattended for so long.
> > 
> > Is it likely that I've been hacked?  Or is this perhaps an
> > account that something I may have installed created?  Does anyone
> > recognize this?
> > 
> > The password field was set to "x".  Does this mean that it does not work
> > as a login shell (has no valid password)?  It's not "*".  Does "x" mean
> > something else?
> > 
> > I've always been aware that this machine was getting no attention, and
> > completely reinstalling the entire thing, properly securing it based on
> > all the usual advice, docs and books, has been my #1 priority for the box.  
> > Unfortunately, the box as a whole hasn't been a priority in my life, but I
> > had a (trusted non-geek but-smart-enough-to-change-his-password) friend
> > that was using it for a while for email, and to serve several static web
> > pages, so I left it up.  Perhaps it's time to take it down, archive my
> > friend's data, and rebuild it properly.  Even if this isn't a hack.
> > 
> > The machine is down until I get a response.  Many thanks for any
> > assistance you can provide!
> > 
> > -- Dan
> > 
> > 
> 
> 
>