Check for Unknown Accounts
Security - Server Security

Check for Unknown User Accounts


One method a cracker will use is to create an account that has the UID of 0, which is the root account. Use this command to check for an additional account:


grep :x:0: /etc/passwd


The output should look like this:



It is a good idea to keep track of all user accounts. You can list those accounts by using the command:


cat /etc/passwd


Every account should have a password, do not allow accounts on the system that by default do not have passwords.

lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
gdm:x:50:15:Gnome Display Manager daemon:/var/lib/gdm:/bin/bash
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
ntp:x:74:65534:NTP daemon:/var/lib/ntp:/bin/false
mysql:x:60:2:MySQL database admin:/var/lib/mysql:/bin/false

Usually the only way that a program ends up on the system without a password is when a program is installed and by default there are not passwords. Even worse is to install a program that uses a poor default password like “admin” and then that fact is forgotten until too late. If a program is installed it is imperative to review the status of passwords for that program during the installation.


Copyright CyberMontana Inc. and

All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874