odd entry in /etc/passwd
So I just found an odd entry in /etc/passwd on one of my servers: +:::::: Of course I'm not running tripwire on it so I can't be assured of the last time I edited the file / did anything to edit it. etc/shadow doesn't have the entry but shadow is only checked if the second field is x, right? I'm running Suse and I've been using yast lately, could that have anything to do with it? I hope it does as I really hope I don't have to run a full audit on the box. tia -- Eric Martin
Eric Martin wrote:
So I just found an odd entry in /etc/passwd on one of my servers:
+::::::
Of course I'm not running tripwire on it so I can't be assured of the last time I edited the file / did anything to edit it. etc/shadow doesn't have the entry but shadow is only checked if the second field is x, right?
I'm running Suse and I've been using yast lately, could that have anything to do with it? I hope it does as I really hope I don't have to run a full audit on the box.
Looks like it's part of NIS/NIS+ configuration: http://www.cyberciti.biz/faq/plus-minus-sign-in-unix-linux-passwd-file/ -- Frank Sweetser fs at wpi.edu | For every problem, there is a solution that WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
On Tue, Apr 28, 2009 at 9:48 PM, Frank Sweetser <fs@wpi.edu> wrote:
Eric Martin wrote:
So I just found an odd entry in /etc/passwd on one of my servers:
+::::::
Of course I'm not running tripwire on it so I can't be assured of the last time I edited the file / did anything to edit it. etc/shadow doesn't have the entry but shadow is only checked if the second field is x, right?
I'm running Suse and I've been using yast lately, could that have anything to do with it? I hope it does as I really hope I don't have to run a full audit on the box.
Looks like it's part of NIS/NIS+ configuration:
people still use NIS?
http://www.cyberciti.biz/faq/plus-minus-sign-in-unix-linux-passwd-file/
-- Frank Sweetser fs at wpi.edu | For every problem, there is a solution that WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
LDAP doesn't let your fingers do the walking... On Tue, Apr 28, 2009 at 9:57 PM, J.R. Mauro <jrm8005@gmail.com> wrote:
On Tue, Apr 28, 2009 at 9:48 PM, Frank Sweetser <fs@wpi.edu> wrote:
Eric Martin wrote:
So I just found an odd entry in /etc/passwd on one of my servers:
+::::::
Of course I'm not running tripwire on it so I can't be assured of the last time I edited the file / did anything to edit it. etc/shadow doesn't have the entry but shadow is only checked if the second field is x, right?
I'm running Suse and I've been using yast lately, could that have anything to do with it? I hope it does as I really hope I don't have to run a full audit on the box.
Looks like it's part of NIS/NIS+ configuration:
people still use NIS?
http://www.cyberciti.biz/faq/plus-minus-sign-in-unix-linux-passwd-file/
-- Frank Sweetser fs at wpi.edu | For every problem, there is a solution that WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
Frank Sweetser wrote:
Eric Martin wrote:
So I just found an odd entry in /etc/passwd on one of my servers:
+::::::
Of course I'm not running tripwire on it so I can't be assured of the last time I edited the file / did anything to edit it. etc/shadow doesn't have the entry but shadow is only checked if the second field is x, right?
I'm running Suse and I've been using yast lately, could that have anything to do with it? I hope it does as I really hope I don't have to run a full audit on the box.
Looks like it's part of NIS/NIS+ configuration:
http://www.cyberciti.biz/faq/plus-minus-sign-in-unix-linux-passwd-file/
Thanks Frank! I googled +:::::: and nothing came back. I was just about to go hit my Hacking Exposed books as I though I remembered something from there. NIS was off in Yast, but it's good to know that I'm (probably) not hacked.
participants (4)
-
Eric Martin -
Frank Sweetser -
J.R. Mauro -
Theo Van Dinter