Further thoughts: I don't know what this system is used for, but if it involves real-life financial matters, I can imagine a situation where an intruder set up a bogus user account with privileged access, did financial fiddling to issue checks, etc., then came back to erase their traces and accidentally deleted more than they meant to in the passwd file. So, keep records of what you find, in case it ends up needing to serve as legal evidence.
"John F. Eldredge" <[email protected]> wrote: > My guess about "how" is that someone manually edited the /etc/passwd > file for some reason, and, intentionally or unintentionally, deleted > the line referring to that user. I would advise retrieving a copy of > /etc/passwd from backup into a scratch directory, and comparing it to > the current file. I would also advise checking other logs for odd > entries, as this missing login could be a side effect of a clumsy > attempt to clean up after someone cracked the system. > > > Howard White <[email protected]> wrote: > > Have a client whose login has disappeared. I didn't do it nor do we > > > know who would know _how_ much less do it. > > > > Is there a common log that tracks adds, changes or deletes to > > /etc/passwd? > > > > Howard -- John F. Eldredge -- [email protected] "Reserve your right to think, for even to think wrongly is better than not to think at all." -- Hypatia of Alexandria -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
