search for: chfn

My machine got hacked a few days ago through the samba bug. I reinstalled everything cvsuped src-all, and ran chkrootkit. No more LKM but still... Can anyone please advise ? bash-2.05b# chkrootkit | grep INFECTED Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED -- Jay -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes D...

I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and noticed that chfn, date, and chsh showed as being infected. I remember reading post from the past that right now chkrootkit is giving alot of false positives, so I suspected that these 3 binaries are not bad. However, to be on the safe side, I deleted the 3 binaries, removed /usr/src and did a 'make world'...

Has anyone else seen chkrootkit (version 0.43) on 4.10-prerelease or later report chfn, chsh, and date as infected? I built world yesterday, and my nightly chkrootkit reports this on run. I've replaced the binaries with their 4.9 equivalents, and things don't report as infected. I upgrade the 4.9 machine to 4.10, and chkrootkit reports them as infected again. Is this sim...

...========================================= FreeBSD-SA-00:58 Security Advisory FreeBSD, Inc. Topic: chpass family contains local root vulnerability Category: core Module: chfn/chpass/chsh/ypchfn/ypchpass/ypchsh/passwd Announced: 2000-10-30 Credits: Problem fixed during internal auditing. Vulnerability pointed out by: caddis <caddis@DISSENSION.NET> Affects: FreeBSD 3.x (all releases), FreeBSD 4.0-RELEASE, FreeBSD 4.0-STABLE prior to the correction da...

Hey, Gang! To ensure that a file hasn't been corrupted or tampered with, you can use rpm to verify the package it came from. Well, I found this: rpm -Vv util-linux .... ........ /usr/bin/cal S.?..... /usr/bin/chfn ........ /usr/bin/chrt S.?..... /usr/bin/chsh .... Does anyone else get this? And what would be the proper course of action at this point? Thanks mucho. -- Without music, life would be a mistake. --Friedrich Nietzsche

Hi! Running chkrootkit on newly installed FreeBSD 5.0 got: -cut- Checking `basename'... not infected Checking `biff'... not infected Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `cron'... not infected Checking `date'... INFECTED -cut- Checking `ls'... INFECTED -cut- Checking `ps'... INFECTED Checking `pstree'... not found -cut- What does it mean? Is my system really hacked?

Hi, I have a 4.9-STABLE FreeBSD box apparently hacked! Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. Those are: chfn ... INFECTED chsh ... INFECTED date ... INFECTED ls ... INFECTED ps ... INFECTED But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED. I know by the FreeBSD-Security archives that chkrootkit isn't perfect with FreeBSD vers...

I have an rsync daemon running on a FreeBSD 7.3 system. It is running rsync 3.0.4 with fileflags enabled. I have the following six files on it which are all hardlinks and have the immutable flag set: 6830483 -r-sr-xr-x 6 root wheel schg 33268 Jan 6 2005 chfn 6830483 -r-sr-xr-x 6 root wheel schg 33268 Jan 6 2005 chpass 6830483 -r-sr-xr-x 6 root wheel schg 33268 Jan 6 2005 chsh 6830483 -r-sr-xr-x 6 root wheel schg 33268 Jan 6 2005 ypchfn 6830483 -r-sr-xr-x 6 root wheel schg 33268 Jan 6 2005 ypchpass 6830483 -r-sr-xr-x 6...

Hello! I've found that on two FreeBSD 4.5-RELEASE boxes chkrootkit finds: Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED recompiling, say, ls from souces didn't help. False positive or source changed as well? -- Alex.

...ing all of the relevant commands that they need to know about, in the sense of, "if you understand these commands, you should be fine." regarding user/group admin, my tentative list of commands would be: * user{add,mod,del} * group(add,mod,del} * passwd, gpasswd * chage, chsh, chfn * pwck, grpck * pwconv, pwunconv not sure what i'm missing here, i just typed those off the top of my head. rather than scatter all of that over an entire chapter, are there any official centos/rhel reference sheets like that? if not, i can just write my own and post them at my wiki. th...

Good morning all; Whils't running chkrootkit 0.42 on one of my 4.7-REL boxen it reported : <snip> Checking 'biff'...not infected ]: not found [: -ne: argument expected Checking 'chfn'...not infected ]: not found [: -ne: argument expected <snip> I've been unable to locate any information ref. the " ]: not found " and " [: -ne: argument expected " messages. If someone out there is familiar with this please clue me in! Thanks you y'all&...

On 08/02/15 06:51, Jason Long wrote: > Thanks a lot. > > [root at printmah ~]# getent passwd jason > jason:*:11303:10513:jason JASON:/home/JASONDOMAIN/jason:/bin/false > > But I can't login to Linux via AD username and it show me : > > > > Last login: Sun Feb 8 01:48:32 2015 > Could not chdir to home directory /home/JASONDOMAIN/jason: No such file or directory

...ason: No such file or directory > mkdir: cannot create directory ?/home/jason?: Permission denied > -sh-4.2$ > > > About "PAM", I have not the file that you said : > > > [root at printmah ~]# nano /etc/pam.d/ > atd password-auth smtp > chfn password-auth-ac smtp.postfix > chsh polkit-1 sshd > config-util postlogin su > crond postlogin-ac sudo > cups ppp sudo-i > fingerprint-auth remote...

...r : Could not chdir to home directory /home/jason: No such file or directory mkdir: cannot create directory ?/home/jason?: Permission denied -sh-4.2$ About "PAM", I have not the file that you said : [root at printmah ~]# nano /etc/pam.d/ atd password-auth smtp chfn password-auth-ac smtp.postfix chsh polkit-1 sshd config-util postlogin su crond postlogin-ac sudo cups ppp sudo-i fingerprint-auth remote su-l fingerprint-au...

...files up to date it I also want it to keep the OS up to date. I've run into a problem that I do not know how to fix. When I run the following command: rsync -aHXA --fileflags --force-change --no-inc-recursive master.server.com::all / I get the following error: rsync: link "/usr/bin/ypchfn" => usr/bin/ypchpass failed: Operation not permitted (1) rsync: link "/usr/bin/chsh" => usr/bin/ypchpass failed: Operation not permitted (1) rsync: link "/usr/bin/chpass" => usr/bin/ypchpass failed: Operation not permitted (1) rsync: link "/usr/bin/chfn"...

In the winbind docs it says the following: "In /etc/pam.d/* replace the auth lines with something like this:" By this (/etc/pam.d/*) do they mean that we change ALL the files in that directory? If not, what files do we change? Another set of docs i read for winbind stated that i should change the /etc/pam.d/samba file, but on my TurboLinux 6.5 and RH 7.1 systems that file doesn't

...gmail.com QAContact: rsync-qa at samba.org On FreeBSD 9.2 on amd64 system the following command is broken if a destination file marked schg already exists: rsync -axHAXSv --fileflags --force-schange --delete /usr/ /media/usrbak/ rsync: link "/media/usrbak/bin/chsh" => bin/ypchfn failed: Operation not permitted (1) rsync: link "/media/usrbak/bin/chpass" => bin/ypchfn failed: Operation not permitted (1) rsync: link "/media/usrbak/bin/chfn" => bin/ypchfn failed: Operation not permitted (1) rsync: link "/media/usrbak/bin/.ypchpass.2878" =&gt...

...ason: No such file or directory > mkdir: cannot create directory ?/home/jason?: Permission denied > -sh-4.2$ > > > About "PAM", I have not the file that you said : > > > [root at printmah ~]# nano /etc/pam.d/ > atd password-auth smtp > chfn password-auth-ac smtp.postfix > chsh polkit-1 sshd > config-util postlogin su > crond postlogin-ac sudo > cups ppp sudo-i > fingerprint-auth remote...

...ccounting: Dealing with lastlog and utmp; Authentication token Simple checks, cracklib; validation: Miscellaneous: pniam_rootok, pniam_count,pniam_nologin, pniam_allow and pniam_deny. We also incorporated PNIAM support in a quite a few, but important applications: - login - passwd - su - chfn - vlock - FTP - RADIUS - OpenSSH We consider OpenSSH as a crucial component of PNIAM-aware infrastructure. We ported all authentication schemes supported in OpenSSH 2.3.1p1: SSH1, SSH2 including keyboard-interactive, (although discussion with Martin Forssen showed that our implementation is...

...files as they were named in the rootkit. There are many set of trojanned source code trees out there, but the most prevailent seems to be Linux RootKit (LRK). This kit included lots of trojanned binary source, but is sloppily written. This is all LRK actually contains, from it''s readme: chfn: local backdoor chsh: local backdoor inetd: remote backdoor login: remote backdoor ls/du: hide files ifconfig: hide sniffing netstat: hide connections ps/top: hide processes passwd: localhost backdoor rshd: remote backdoor syslogd: hide log strings tcpd: avoid denials It also includes linsniff, and...