HPE Community
Operating System - HP-UX
1827587 Members
2732 Online
109965 Solutions
New Discussion

logging in with out entry in /etc/passwd

 
SOLVED
Go to solution
someone_4
Honored Contributor

‎04-23-2003 02:02 PM

‎04-23-2003 02:02 PM

logging in with out entry in /etc/passwd

Hello,
It has been reported that someone has logged into a system with a username. But the username is not in /etc/passwd. How can someone log into a system without a username in /etc/passwd?

I was thinking maybe if there is still some trace of the user in other files maybe pam ? Does anyone have any ideas on what else I could check.

Thanks
Richard
0 Kudos
Reply
11 REPLIES 11
someone_4
Honored Contributor

‎04-23-2003 02:04 PM

‎04-23-2003 02:04 PM

Re: logging in with out entry in /etc/passwd

The way this was found was that a who was done on this server. And it was noticed that this old user was logged in. I have not seen it my self and they assure me that they were in the box in question.

Thanks
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎04-23-2003 02:05 PM

‎04-23-2003 02:05 PM

Solution

Re: logging in with out entry in /etc/passwd

Do you use NIS, NIS+, LDAP or any other form of authentication? Is the system trusted? If so, does the user exist in the /tcb directory structure?

Can you do a 'last username' and see that user? What about 'last | grep username'? Is anything returned?
Reply
someone_4
Honored Contributor

‎04-23-2003 02:14 PM

‎04-23-2003 02:14 PM

Re: logging in with out entry in /etc/passwd

Hi
last didnt show anything but there was a file in /tcb/files/auth/w with the username in questions and also the home directory.

i did userdel -r username
and the files are all gone.

could that have been it?
I still think it was weird that there was no /etc/passwd entry.

Richard
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎04-23-2003 02:27 PM

‎04-23-2003 02:27 PM

Re: logging in with out entry in /etc/passwd

who get's its data fom the utmp and/or the wtmp files, so don't trust WHO by itself.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎04-23-2003 03:17 PM

‎04-23-2003 03:17 PM

Re: logging in with out entry in /etc/passwd

Hi Richard,

Although it's true that there are several ways to login w/o showing up in who & last commands, I know of no ways to login w/o having a valid account - somewhere - at connection time.
Don't overlook access via r-commands. I'd recommend a site survey for .rhosts & hosts.equiv & crank up the logging level on inetd. If you can, disable the r-commands & push for SSH. Won't get it if you don't ask.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Donny Jekels
Respected Contributor

‎04-23-2003 05:12 PM

‎04-23-2003 05:12 PM

Re: logging in with out entry in /etc/passwd

Is there any roug tools on your system '*su'?

"Vision, is the art of seeing the invisible"
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎04-23-2003 09:36 PM

‎04-23-2003 09:36 PM

Re: logging in with out entry in /etc/passwd

Hi,

Login spoofer programs can easily do this.

Check /etc/inetd.conf for any backdoors .

Check top output for any suspicious processes.

If possible run a network sniffer and monitor the network packers flowing from and to your server.

If possible run ttysnoop program to monitor all users keystrokes without users knowledge but with managment's knowledge.

Disclaimer: use of the above tools illegally will not make me responsible as iam innocent ethical hacker.

regards,
U.Sivakumar

Innovations are made when conventions are broken
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎04-23-2003 09:42 PM

‎04-23-2003 09:42 PM

Re: logging in with out entry in /etc/passwd

Hi,

Login spoofer programs can easily do this.

Check /etc/inetd.conf for any backdoors .

Check top output for any suspicious processes.

If possible run a network sniffer and monitor the network packers flowing from and to your server.

If possible run ttysnoop program to monitor all users keystrokes without users knowledge but with managment's knowledge.

Disclaimer: use of the above tools illegally will not make me responsible as iam innocent ethical hacker.

regards,
U.Sivakumar

Innovations are made when conventions are broken
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎04-23-2003 09:42 PM

‎04-23-2003 09:42 PM

Re: logging in with out entry in /etc/passwd

Hi,

Login spoofer programs can easily do this.

Check /etc/inetd.conf for any backdoors .

Check top output for any suspicious processes.

If possible run a network sniffer and monitor the network packers flowing from and to your server.

If possible run ttysnoop program to monitor all users keystrokes without users knowledge but with managment's knowledge.

Disclaimer: use of the above tools illegally will not make me responsible as iam innocent ethical hacker.

regards,
U.Sivakumar

Innovations are made when conventions are broken
0 Kudos
Reply
Frank Slootweg
Honored Contributor

‎04-24-2003 01:09 AM

‎04-24-2003 01:09 AM

Re: logging in with out entry in /etc/passwd

See Harry's response about who(1) and /etc/utmp.

Do a "who" and note the tty of the 'phantom' user. Then do a "ps -ef | grep the_tty" (or similar). If no processes (other than the grep) are listed, then /etc/utmp is corrupt and that is the cause(post for further instructions on how to fix /etc/utmp, or see the fwtmp and utmp manual pages).
0 Kudos
Reply
Darren Prior
Honored Contributor

‎04-24-2003 01:26 AM

‎04-24-2003 01:26 AM

Re: logging in with out entry in /etc/passwd

Hi Richard,

A good way of checking the health of /etc/passwd and the tcb database on a trusted system is to use authck -pv.
One of the checks performed is to ensure the entries in tcb are also in /etc/passwd and vice versa.

I also tried a quick test of setting up a user on a trusted system, then removing just their /etc/passwd entry - when you try to login it returns login incorrect.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.