Hi list, I checked one of my boxes (SuSE 9.2 Pro with the latest patches) today with the latest version of rkhunter and got the following warning: Checking for passwordless user accounts... Warning! Found passwordless user account. See logfile for more information The logfile reveals this: [21:26:27] Warning! Found passwordless account (+) [21:26:27] Check this account and give it a password. A look at /etc/shadow shows as the last line: +::0:0:0:::: I am kind of worried about this, especially about the password-less user +. This is apparently not an account that one could log on to, but still I haven't seen this at all in the past. My home box running the 64bit version of SuSE 9.2 doesn't show this user at all. I'd be really grateful to anybody that could help me shed light on this or at least point me in the right direction. Best regards, Alex. P.S.: There doesn't seem to be anything particularly worrying in the log. A couple of vanilla log on attempts on the sshd that people seem to have reported about from time to time: Jan 9 11:57:36 falco sshd[32471]: Illegal user jordan from ::ffff:220.228.116.140 Jan 9 11:57:36 falco sshd[32471]: reverse mapping checking getaddrinfo for adsl-220-228-116-140.nh.sparqnet.net failed - POSSIBLE BREAKIN ATTEMPT! Jan 9 11:57:36 falco sshd[32471]: error: Could not get shadow information for NOUSER Jan 9 11:57:36 falco sshd[32471]: Failed password for illegal user jordan from ::ffff:220.228.116.140 port 4205 ssh2 Jan 9 11:57:36 falco kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:0c:6e:63:0d:50:00:03:fe:a0:e4:0a:08:00 SRC=220.228.116.140 DST=128.227.89.85 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=30681 DF PROTO=TCP SPT=4239 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A0152624E0000000001030300) and repeats of these with different login names ad nauseam. There was also an attempt at brute-forcing my root password (fat chance): Jan 11 04:48:05 falco sshd[9001]: Failed password for root from ::ffff:67.19.157.18 port 58602 ssh2 Jan 11 04:48:06 falco sshd[9003]: reverse mapping checking getaddrinfo for 18.67-19-157.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT! Jan 11 04:48:06 falco sshd[9003]: Failed password for root from ::ffff:67.19.157.18 port 58628 ssh2 Jan 11 04:48:06 falco sshd[9005]: reverse mapping checking getaddrinfo for 18.67-19-157.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
What's concerning is that the default /etc/ssh/sshd_config is allowing people to attempt to brute force the root password at all.
-----Original Message----- From: Alex Angerhofer [mailto:alex@chem.ufl.edu] Sent: Friday, 21 January 2005 4:11 p.m. To: SUSE Security List Cc: Alex Angerhofer Subject: [suse-security] passwordless user account warning
Hi list,
I checked one of my boxes (SuSE 9.2 Pro with the latest patches) today with the latest version of rkhunter and got the following warning:
Checking for passwordless user accounts... Warning! Found passwordless user account. See logfile for more information
The logfile reveals this: [21:26:27] Warning! Found passwordless account (+) [21:26:27] Check this account and give it a password.
A look at /etc/shadow shows as the last line: +::0:0:0::::
I am kind of worried about this, especially about the password-less user +. This is apparently not an account that one could log on to, but still I haven't seen this at all in the past. My home box running the 64bit version of SuSE 9.2 doesn't show this user at all.
I'd be really grateful to anybody that could help me shed light on this or at least point me in the right direction.
Best regards, Alex.
P.S.: There doesn't seem to be anything particularly worrying in the log. A couple of vanilla log on attempts on the sshd that people seem to have reported about from time to time:
Jan 9 11:57:36 falco sshd[32471]: Illegal user jordan from ::ffff:220.228.116.140 Jan 9 11:57:36 falco sshd[32471]: reverse mapping checking getaddrinfo for adsl-220-228-116-140.nh.sparqnet.net failed - POSSIBLE BREAKIN ATTEMPT! Jan 9 11:57:36 falco sshd[32471]: error: Could not get shadow information for NOUSER Jan 9 11:57:36 falco sshd[32471]: Failed password for illegal user jordan from ::ffff:220.228.116.140 port 4205 ssh2 Jan 9 11:57:36 falco kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:0c:6e:63:0d:50:00:03:fe:a0:e4:0a:08:00 SRC=220.228.116.140 DST=128.227.89.85 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=30681 DF PROTO=TCP SPT=4239 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A0152624E0000000001030300) and repeats of these with different login names ad nauseam.
There was also an attempt at brute-forcing my root password (fat chance):
Jan 11 04:48:05 falco sshd[9001]: Failed password for root from ::ffff:67.19.157.18 port 58602 ssh2 Jan 11 04:48:06 falco sshd[9003]: reverse mapping checking getaddrinfo for 18.67-19-157.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT! Jan 11 04:48:06 falco sshd[9003]: Failed password for root from ::ffff:67.19.157.18 port 58628 ssh2 Jan 11 04:48:06 falco sshd[9005]: reverse mapping checking getaddrinfo for 18.67-19-157.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Alex Angerhofer schrieb:
Hi list,
<SNIP>
A look at /etc/shadow shows as the last line: +::0:0:0::::
You don't have to worry about this entry. It only indicates that you have configured your Linux box to work in a NIS-Environment. (Network Information Service - formaly known as "Yellow Pages"). HTH Dieter
participants (3)
-
Alex Angerhofer
-
Dieter Brüggemann
-
Mike Tierney