On Wed, 24 Jan 2001 [EMAIL PROTECTED] wrote:
> > The specific usernames that I question are: "pop" and "operator"
> > Are those installed into the raq3i by the factory?
>
> I admin two Raq3 servers. One of them has accounts under the
> usernames pop, operator and games. The other only has operator
> and games but niether server actually has passwords for these
> accounts. What I mean is that the shadow file contains an
> asterix ('*') which would never be the result of a crypt function
> so the accounts cannot be logged into in the normal fashion. If
> you were running a daemon as one of these accounts then the daemon
> itself may have caused the hole.
It's also worth checking these service accounts still have their shell
entries either blank or set to /bin/false. Quite often people change the
shell to /bin/sh and use them to login.
My RaQ (owned.lab6.com) was cracked at the weekend. Initially it looks
like procmail was exploited. It's running the latest version of procmail,
which is worrying.
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
