Problem with user management

Darryl LeCount darryl at
Wed Jun 20 11:27:42 UTC 2007

Hi everyone, and thanks for answering so quickly. I'm sorry I had to
rant like that, but it was getting a little difficult. Anyway, to cover
points from everyone.

> Please post the results of an ls of the groups,shadow,password files,
> and also of the /home dir.
> lets see if something having to do with permitions is the cause of
> this strange behavior.

dlecount at jamyskis:~$ ls -l /etc/passwd
-rw-r--r-- 1 root root 2280 2007-05-29 17:33 /etc/passwd
dlecount at jamyskis:~$ ls -l /etc/shadow
-rw-r----- 1 root shadow 1459 2007-06-14 19:24 /etc/shadow
dlecount at jamyskis:~$ ls -l /etc/group
-rw-r--r-- 1 root root 1097 2007-06-20 10:38 /etc/group

> Without more information (who else access this device) can't really
> determine much. However, if you have as many as 9 uses setup in it,
> it's very possible someone has been "playing" with your OS.
> First thin I might do - install chkrootkit and see if someone really
> has been "playing" with you. 

Most of the users are local - they only have an account because they
don't have a computer at home and thus can have their own home folder,
own settings, own Firefox bookmarks etc.

chkrootkit reported only one suspicious thing:

"Checking `z2'... user root deleted or never logged from lastlog!"

> Do other things such as review all you log files in /var/logs. With
> some luck, if someone has been "playing" one can hope they didn't
> cover tracks - and if that's the case, you could find your answer
> there.

I made one mistake in my post - it wasn't two, but three weeks ago (Sun
3 June) to be exact. Anyway, bearing in this mind, I found a few
interesting bits in my auth.logs. In the space of a week before Jun 3
I'd had two hack attempts, both through ssh. One had been trying to go
in through root, trying for about four minutes with a brute force method
(no luck though), another was trying random usernames (none of which
were right). Apart from that, nothing strange, just the auth.log entries
from when the kickup started. I've attached it.

> <snip>
> It seems you are not alone in having weird happenings from using this
> tool, if that is any consolation - but I don't know the actual answer,
> sorry. That might explain why you have had little response to your
> questions ( maybe no-one quite knows ?)
> I just thought, rather than people remaining entirely silent, this
> could
> set you on track to sorting the problem out. It could be worth digging
> in
> the gdm bugs too...
> </snip>

The bugs you mentioned didn't really have much bearing on my problem,
but you did give me an idea to search Launchpad and I did find one bug
that corresponded to my problem - bug #110854. Bug #95103 did relate to
it, but I'm not sure if the guy was experiencing the application crash,
and he is using ldap which I am not. I've added a comment seconding
#110854, as it is after two months still uncommented and unconfirmed:

I really appreciate the assistance Peter, Chris and Fernando. I wasn't
really looking for a firm solution, rather at the very least vague ideas
where the problem could be caused so I had something to work on. You
guys have at least piped up and said "it might be this, this or this"
which I think is excellent and I thank you guys.

>> Darryl

Darryl LeCount
darryl at

PGP Key: 1E94A0F1
To confirm the authenticity of this mail, add this key to your PGP
Um den Ursprung dieses E-Mails zu bestätigen, bitte diesen Schüssel in
Ihren PGP-Schlüsselbund einfügen.
Pour vérifier l'authenticité de ce courriel, ajoutez ce clé à votre
porte-clés PGP.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the ubuntu-users mailing list