Those are there by default. If the users shell is 'nologin' then you are chasing phantoms.
Also, no, someone named 'Charlie' did not compromise root (well, most likely :-). -Bryan On Fri, Feb 20, 2009 at 3:46 PM, Jean-Francois <jfsimon1...@gmail.com> wrote: > Hi All, > > It looks like my server running since few days has already been hacked. > It looks like a new user called 'daemon' ID 1 and a new group daemon. > User's full name 'The devil itself' !!!! First time I find out evidence > of hack on my server, however it's only one month running !! > > It looks like ntpd was the entry daemon connected to other than ntp site > but I'm not sure. > I am not sure at all about this, maybe one has changed the daemon. > After I checked the adresses that this daemon connected to, they were > very strange as webservers content (blogs, default page 'It works' and > so one ... I guess ntp servers shall not act like this). > > Please find enclosed the ntpd server md5 print, one could check > if /usr/sbin/ntpd (OpenBSD 4.4) has the same print ? > md5 print of ntpd daemon (/usr/sbin) on my OpenBSD 4.4 : > a0c8961d5818b438ecbfd6c40be47a5f > > Thanks for your kind help.
