Check for Unknown User Accounts

One method a cracker will use is to create an account that has the UID of 0, which is the root account. Use this command to check for an additional account:

grep :x:0: /etc/passwd

The output should look like this:

root:x:0:0:root:/root:/bin/bash

It is a good idea to keep track of all user accounts. You can list those accounts by using the command:

cat /etc/passwd

Every account should have a password, do not allow accounts on the system that by default do not have passwords.

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
gdm:x:50:15:Gnome Display Manager daemon:/var/lib/gdm:/bin/bash
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
ntp:x:74:65534:NTP daemon:/var/lib/ntp:/bin/false
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
mike:x:500:100:mike:/home/mike:/bin/bash
mysql:x:60:2:MySQL database admin:/var/lib/mysql:/bin/false

Usually the only way that a program ends up on the system without a password is when a program is installed and by default there are not passwords. Even worse is to install a program that uses a poor default password like “admin” and then that fact is forgotten until too late. If a program is installed it is imperative to review the status of passwords for that program during the installation.

Copyright CyberMontana Inc. and BeginLinux.com

All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874