Hi list, I checked one of my boxes (SuSE 9.2 Pro with the latest patches) today with the latest version of rkhunter and got the following warning: Checking for passwordless user accounts... Warning! Found passwordless user account. See logfile for more information The logfile reveals this: [21:26:27] Warning! Found passwordless account (+) [21:26:27] Check this account and give it a password. A look at /etc/shadow shows as the last line: +::0:0:0:::: I am kind of worried about this, especially about the password-less user +. This is apparently not an account that one could log on to, but still I haven't seen this at all in the past. My home box running the 64bit version of SuSE 9.2 doesn't show this user at all. I'd be really grateful to anybody that could help me shed light on this or at least point me in the right direction. Best regards, Alex. P.S.: There doesn't seem to be anything particularly worrying in the log. A couple of vanilla log on attempts on the sshd that people seem to have reported about from time to time: Jan 9 11:57:36 falco sshd[32471]: Illegal user jordan from ::ffff:220.228.116.140 Jan 9 11:57:36 falco sshd[32471]: reverse mapping checking getaddrinfo for adsl-220-228-116-140.nh.sparqnet.net failed - POSSIBLE BREAKIN ATTEMPT! Jan 9 11:57:36 falco sshd[32471]: error: Could not get shadow information for NOUSER Jan 9 11:57:36 falco sshd[32471]: Failed password for illegal user jordan from ::ffff:220.228.116.140 port 4205 ssh2 Jan 9 11:57:36 falco kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:0c:6e:63:0d:50:00:03:fe:a0:e4:0a:08:00 SRC=220.228.116.140 DST=128.227.89.85 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=30681 DF PROTO=TCP SPT=4239 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A0152624E0000000001030300) and repeats of these with different login names ad nauseam. There was also an attempt at brute-forcing my root password (fat chance): Jan 11 04:48:05 falco sshd[9001]: Failed password for root from ::ffff:67.19.157.18 port 58602 ssh2 Jan 11 04:48:06 falco sshd[9003]: reverse mapping checking getaddrinfo for 18.67-19-157.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT! Jan 11 04:48:06 falco sshd[9003]: Failed password for root from ::ffff:67.19.157.18 port 58628 ssh2 Jan 11 04:48:06 falco sshd[9005]: reverse mapping checking getaddrinfo for 18.67-19-157.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
participants (3)
-
Alex Angerhofer
-
Dieter Brüggemann
-
Mike Tierney