Hi Arnaud. The first things I'd check are:
* Are the passwd, group, and shadow entries in your "/etc/nsswitch.conf" configured correctly? * If you have NIS installed on your machine, issue "/etc/init.d/nis stop" and "/etc/init.d/portmap stop" commands. Then see if you can still log in as the 'test' user. If you don't need it, consider uninstalling NIS. * Can you change the password for user 'test' while logged in as root? * What do your "/etc/pam.d/ssh" and "/etc/pam.d/ftpd" files look like? Hope this helps :-) ----- Jeremy On Tue, 2004-05-18 at 16:21, A. Loonstra wrote: > Hi, > > Last night I found the following in my wtmp: > > test ftpd19097 141.222.42.5 Sat May 15 10:57 - 10:57 (00:00) > > I had this test account once but removed account rightaway. So this > shouldn't show up in my logs anyhow. The weird thing is that syslog > shows something else: > > May 15 10:57:41 matilda wu-ftpd[19097]: connect from 141.222.42.5 > May 15 10:57:44 matilda wu-ftpd[19097]: FTP LOGIN REFUSED (ftp not in > /etc/passwd) FROM 141.222.42.5 [141.222.42.5], anonymous > > So now I tried myself to login as this test user with a very obvious > password. It was possible.... SSH login succeeded and ftp login as well. > The ssh login seems to get mapped to another local user which does > have an existing account on the server. However it can't find the home > dir so it sets it to / > > I have nothing in /etc/passwd, /etc/shadow or anywhere else... > a grep test on passwd* or shadow* reveals nothing. So how is it possible > that this test user is able to login. > > I've run the most recent version of chkrootkit (0.43) and run a linux > virusscanner (mcafee) as well. Both find nothing. > > Any help appreciated. > > Arnaud. > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
