> yesterday I noticed that the last line of my /etc/passwd file
> was something like :
> +::0::0
That sets the UID and gecos field of all users on the system to 0. The
attacker probably meant to do "+::0:0:" but the above is just as lethal.
> I didnt put it and it was definitely not there before :)
> I vaguely remember that it has something to do with NIS..
Yes -- it's often used in conjunction with NIS+ netgroups. In the past,
I've use the following config on servers that I only wanted certain people
to log in to:
+@managers:x:::::
+:x:::::/afs/cs/common/login.restricted
That changes the shell for users not in the managers netgroup to one that
spits out an error message and kicks them off.
> any suggestions? Should I be worried???
Yes -- you should be very worried! :) I suggest removing the line, and
tracking down how you were attacked.
[ t charles clancy ]-[ [EMAIL PROTECTED] ]-[ uiuc.edu/~tclancy ]
[ crypto ][ coordinated science lab ][ university of illinois ]
