[wplug] Breakin attempts against the nobody account
Bill Moran
wmoran at potentialtech.com
Mon Mar 28 10:45:17 EST 2005
Jonathan Billings <jsbillings at gmail.com> wrote:
> On Mon, 28 Mar 2005 10:03:36 -0500, Bill Moran <wmoran at potentialtech.com> wrote:
>
> > My question is: Are there systems out there with an unsecured "nobody"
> > account by default? Or are there installation profiles that enable the
> > "nobody" account?
> >
> > I'm just curious, since I'm not familiar with any way this would ever
> > work.
>
> My guess would be that they aren't trying to break into a server that
> had a bad admin who set the "nobody" password, but rather there is
> some common script-kiddy script that sets a password for "nobody" to
> allow them to log in later, after the cleanup, since someone might not
> notice that a password was added.
That sounds pretty likely. It (theoretically) shouldn't ever work on me,
because my scheduled maintenance scripts send me a diff of the password
file every day, so a change in the "nobody" entry would stick out like a
sore thumb.
Of course, if they were _really_ clever, they could break the scheduled
script so I never saw the change ...
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
More information about the wplug
mailing list