> -i.e. accounts that are `grep ':0:' /etc/passwd I keep seeing people doing greps for ':0:'. Are the "bad-guys" that stupid to not try doing stuff like ':00:' or ': 0:' ? (Both work for root on at least a RedHat 7.2 box...)
You might need to run this as a perl or awk script and and force evaluation as an integer (perhaps by adding 0), then compare that integer to the integer 0. In short, you dont want to compare the string :0: , you want to compare the integer in the third field to the integer 0. --brian