who added the new user pcap?

This is a discussion on who added the new user pcap? within the Linux Security forums, part of the System Security and Security Related category; Hi, I have a redhat 9 box. Logwatch reported the following: --------------------- Connections (secure-log) Begin ------------------------ New Users: pcap(77) **Unmatched ...


Go Back   Usenet Forums > System Security and Security Related > Linux Security

Reload this Page who added the new user pcap?

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 06-14-2004
Lu
 
Posts: n/a
Default who added the new user pcap?
Hi,

I have a redhat 9 box. Logwatch reported the following:

--------------------- Connections (secure-log) Begin
------------------------
New Users:
pcap(77)

**Unmatched Entries**
groupadd[2380]: new group: name=pcap, gid=77
usermod[2964]: change user `gdm' shell from `/sbin/nologin' to
`/sbin/nologin'
---------------------- Connections (secure-log) End

I don't know the exact time it happened. But prior to this, within 24
hours, I also got something from my yum.cron:
Stopping sshd:[ OK ]
Starting sshd:[ OK ]
warning: /etc/mail/sendmail.cf created as /etc/mail/sendmail.cf.rpmnew
warning: /etc/mail/submit.cf created as /etc/mail/submit.cf.rpmnew

I also noticed that the machine was rebooted before these two reports.

Do these mean a security comprimise? What should I do to track it down
and prevent it?

Thanks a lot!

Lu
Reply With Quote
  #2 (permalink)  
Old 06-14-2004
Bill Unruh
 
Posts: n/a
Default Re: who added the new user pcap?
lsun91125@yahoo.com (Lu) writes:

]Hi,

]I have a redhat 9 box. Logwatch reported the following:

] --------------------- Connections (secure-log) Begin
]------------------------
]New Users:
] pcap(77)

]**Unmatched Entries**
]groupadd[2380]: new group: name=pcap, gid=77
]usermod[2964]: change user `gdm' shell from `/sbin/nologin' to
]`/sbin/nologin'
] ---------------------- Connections (secure-log) End

]I don't know the exact time it happened. But prior to this, within 24
]hours, I also got something from my yum.cron:
]Stopping sshd:[ OK ]
]Starting sshd:[ OK ]
]warning: /etc/mail/sendmail.cf created as /etc/mail/sendmail.cf.rpmnew
]warning: /etc/mail/submit.cf created as /etc/mail/submit.cf.rpmnew

]I also noticed that the machine was rebooted before these two reports.

]Do these mean a security comprimise? What should I do to track it down
]and prevent it?

]Thanks a lot!

It looks like ssh, sendmail were updated with rpm. Were they? Did you do
it?

If you did not do it, find out what or who did.

Reply With Quote
  #3 (permalink)  
Old 06-18-2004
Tim Smith
 
Posts: n/a
Default Re: who added the new user pcap?
On 2004-06-14, Bill Unruh <unruh@string.physics.ubc.ca> wrote:
> ]I don't know the exact time it happened. But prior to this, within 24
> ]hours, I also got something from my yum.cron:
....
> It looks like ssh, sendmail were updated with rpm. Were they? Did you do
> it?
>
> If you did not do it, find out what or who did.

Yum did it, from a cron job.

--
--Tim Smith
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 02:48 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0