--- In [email protected], Robert C Wittig <[EMAIL PROTECTED]> wrote: > > Gary wrote: > > (U)nder Sabayon Linux, (...) I found a user account called "nx" > > immediately following my normal user account > > that I hadn't created myself. (...) Poking around in nx's home directory, defined as > > '/usr/local/home/nx', I found it to contain a single piece of > > software, whose "release notes.txt" directed me to a website called > > nomachine.com, which appears to be a professional virtual machine > > package! I delete the username and the associated directories, and 30 > > minutes later, user "nx" was back, plus a half-dozen OTHER user accounts. > > I concluded that my machine had been rootkitted > > somehow, (...) and wiped the whole Linux partition. > > I don't know if I would have been so quick to assume I had been rooted. > > I know absolutely nothing about either Sabayon or Nomachine NX other > than what I quickly scanned on the two websites, but I did discover at: > > http://www.sabayonlinux.org/forum/viewtopic.php?t=3235 > > ...a bugfix line entry: > > # [F/B] NoMachine NX Server Free Edition has now the proper license > key and the startup is a lot faster > > ...which suggests that Sabayon does have NoMachine NX in its install base. > > '/usr/local/home/nx' is not a '/home' directory. I think it is > probably a 'build' directory or something, where individual users can > install software. > > Also, not all 'users' are human... *nix machines have a lot of > non-human users, that perform machine-related tasks. machine accounts > are usually pretty easy to identify, because they will not have shells > assigned to them, like /bin/bash or /bin/ksh, and instead, have an > entry /sbin/nologin
Gary responds: My conclusion wasn't just because the "nx" account respawned, it was the other half-dozen or so accounts that appeared out of nowhere -- and hadn't been in the list a mere 15 minutes or so earlier! I didn't keep a list of them, but some at least seemed to have an advertising flavor to them. And spam-sending bot software doesn't need to be a "person" to do its dirty work, it could be a "machine" account. I also reacted to the fact that "/home" was in the chain somewhere, why do programs need a /home? I thought that putting it under "/usr/local" was a tactic to conceal it from casual browsing of one's own /home structure. Well, in any case, better safe than sorry. If I've alarmed anyone else unduly, I apologize. > The place to check and see who and what kind of users you have on your > system is the /etc/passwd file: > > http://en.wikipedia.org/wiki//etc/passwd Gary continues: Thank you, that's useful to know. Gary said: > > (Installing Fedora 8,) I've lost the GRUB entry to boot > > into Windows! I don't know how to manually re-enter the lines. > > Robert said: > Check: > http://www.linuxforums.org/forum/ubuntu-help/68350-add-windows-grub.html > Gary responds: Thank you but not needed. The grub entry WAS there, when I went to edit the grub conf file, I realized the countdown was so short I missed seeing it happen (and it was oh-dark hundred in the morning, I wasn't at my best), so I can in fact dual-boot normally! Given what you say about nx being part of Sabayon, though, I'll probably go back to it, now that my adrenaline has subsided. I like what Sabayon includes better than F-8, even if Sabayon's 12GB footprint is remarkably large for a Linux. -G- To unsubscribe from this list, please email [EMAIL PROTECTED] & you will be removed. Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/LINUX_Newbies/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/LINUX_Newbies/join (Yahoo! ID required) <*> To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
