mikegior
December 23rd, 2011, 03:16 PM
Hello all,
This morning I ran rkhunter to do a routine check of my system and it yeilded some warnings when it came to the passwd and group checks.
[08:51:51] Info: Starting test name 'group_changes'
[08:51:51] Checking for group file changes [ Warning ]
[08:51:51] Warning: Changes found in the group file for group 'vboxusers':
[08:51:52] User 'michael' has been added to the group
[08:51:52] Warning: Group 'vde2-net' has been added to the group file.
[08:51:52] Warning: Group 'uml-net' has been added to the group file.
The line stating 'michael' has been added to the group 'vboxusers' is fine, I know I've done that, so it isn't news to me. However, the lines stating 'vde2-net' has been added to the group file as well as 'uml-net' is news to me and I'm uncertain as to what they are. It appears that these two were also added to the passwd file.
[08:51:51] Info: Starting test name 'passwd_changes'
[08:51:51] Checking for passwd file changes [ Warning ]
[08:51:51] Warning: User 'vde2-net' has been added to the passwd file.
[08:51:51] Warning: User 'uml-net' has been added to the passwd file.
So I went and took a look at the end of /etc/passwd to see what these two things are and this is what it entails:
vde2-net:x:117:130::/var/run/vde2:/bin/false
uml-net:x:118:131::/home/uml-net:/bin/false
/home/uml-net does not exist and /var/run/vde2 does not appear to exist either. I'm not sure what 'uml-net' and 'vde2' are, but I'm sure they aren't malicious. My main concern is a bad configuration of some sort which could lead to other issues/vulnerabilities.
Any ideas?
This morning I ran rkhunter to do a routine check of my system and it yeilded some warnings when it came to the passwd and group checks.
[08:51:51] Info: Starting test name 'group_changes'
[08:51:51] Checking for group file changes [ Warning ]
[08:51:51] Warning: Changes found in the group file for group 'vboxusers':
[08:51:52] User 'michael' has been added to the group
[08:51:52] Warning: Group 'vde2-net' has been added to the group file.
[08:51:52] Warning: Group 'uml-net' has been added to the group file.
The line stating 'michael' has been added to the group 'vboxusers' is fine, I know I've done that, so it isn't news to me. However, the lines stating 'vde2-net' has been added to the group file as well as 'uml-net' is news to me and I'm uncertain as to what they are. It appears that these two were also added to the passwd file.
[08:51:51] Info: Starting test name 'passwd_changes'
[08:51:51] Checking for passwd file changes [ Warning ]
[08:51:51] Warning: User 'vde2-net' has been added to the passwd file.
[08:51:51] Warning: User 'uml-net' has been added to the passwd file.
So I went and took a look at the end of /etc/passwd to see what these two things are and this is what it entails:
vde2-net:x:117:130::/var/run/vde2:/bin/false
uml-net:x:118:131::/home/uml-net:/bin/false
/home/uml-net does not exist and /var/run/vde2 does not appear to exist either. I'm not sure what 'uml-net' and 'vde2' are, but I'm sure they aren't malicious. My main concern is a bad configuration of some sort which could lead to other issues/vulnerabilities.
Any ideas?