> > Check to see if the users "w0rm" or "moof" were added to /etc/passwd
> > Check to see if you can login as "rewt" with "satori" as you password.
> > If you find either, you have DEFINITELY been compromised.
> Hi Lance!
> A few weeks ago I found the User wOrm in a passwd of a gatewayrouter
> .. I deleted it ...
> now my question is: the wOrm user had not the uid 0 .... so what can be
> happen to the system, it is only a normal user ... the intruder has no
> chance to modify the system. Or is the the user wOrm only a sideeffect
> of a bigger attack?
w0rm's usually inserted by a rootkit after whichever script the kiddie
happened to be using has insinuated its way into your machine - there's
most likely enormous numbers of backdoors lying around your system -
don't trust _any_ of it. In order to insert the entry into passwd, the
attacker must already have root-compromised the machine, once that
happens all bets are off - you don't know what they might have done. In
particular, there's a strong chance that the login binary has been
altered to allow root logins to users not marked as having uid.guid 0.0
in the passwd file. In addition, system binaries such as ls, find, cat,
sum etc. could well have been altered to conceal the hacks.
If you have a tripwire executable and database on immutable media
(e.g. a read-only NFS mount from a more secure machine, or a CD-R
sitting in a CDROM drive or no drive at all), check everything against
that (having rebooted off trusted media). Otherwise backup the user
space, reformat everything and either restore from known-good backup
(i.e. at least before the user appeared in passwd), or, if such a thing
doesn't exist (but you _do_ keep backups, right?) from known-good
Sorry to be the bearer of bad news
~ Matthew ~