Strange user and error while deleting the file "there was a problem with the network"
Options
Derweis
Posts: 8
Recently noticed that when deleting any file from any directory I get an error (no number) There was a problem with the network. Used android application solid explorer. At first I dropped everything on the application itself, but then I checked it on another ftp and everything is fine there. The error is reproduced both from the local network (inside) as well as from the cloud.
Then i went over ssh and looked at users and found "zK9UKHeN6BOT-9hAvh*****" (the last five characters are replaced by * for security reasons) what kind of user is this? has anyone encountered such problems?
Then i went over ssh and looked at users and found "zK9UKHeN6BOT-9hAvh*****" (the last five characters are replaced by * for security reasons) what kind of user is this? has anyone encountered such problems?
0
All Replies
-
I also consulted with a friend, he said to look at the logs in the var / log directory, but there is nothing there, except for two files0
-
Did you use solid explorer as ftp client? If yes, does samba show the same problems?Then i went over ssh and looked at users and found "zK9UKHeN6BOT-9hAvh*****"Where did you find that user?That is normal. The NAS isn't a full featured Linux box. The log directory is in ram, so ZyXEL tuned the system to log as little is possible (and that logdir isn't accessible for 'ordinary users' anyway)
0 -
Mijzelf said:Did you use solid explorer as ftp client? If yes, does samba show the same problems?Then i went over ssh and looked at users and found "zK9UKHeN6BOT-9hAvh*****"Where did you find that user?That is normal. The NAS isn't a full featured Linux box. The log directory is in ram, so ZyXEL tuned the system to log as little is possible (and that logdir isn't accessible for 'ordinary users' anyway)yes, as a customer, samba is fine. There is such a user in the / home / folder.also looked at the list of users through the cat / etc / passwd command0
-
It's a bit hard to read your response. Do you mean the user has an own homedirectory, and can also be found in /etc/passwd, or is it not in /etc/passwd?I checked my NAS520, and it doesn't have such a user. It /might/ be an internal user of some package, and I think about dropbox or googledrive, or something like that. Can you see any process running in that users context when running 'top'? If it is in /etc/passwd, can you share the line and position (is it the last one?)Does the directory in /home survive a reboot? (/home is in a ramdrive, so it has to be repopulated on reboot)If samba doesn't have this problem, then I would have a look at the file permissions.ls -l /i-data/sysvol/<sharename>AFAIK samba runs as root, but pure-tftpd spawns a subprocess in the logged in users context, so that could cause the difference, if the permissions aren't right.0
-
ВMijzelf said:It's a bit hard to read your response. Do you mean the user has an own homedirectory, and can also be found in /etc/passwd, or is it not in /etc/passwd?I checked my NAS520, and it doesn't have such a user. It /might/ be an internal user of some package, and I think about dropbox or googledrive, or something like that. Can you see any process running in that users context when running 'top'? If it is in /etc/passwd, can you share the line and position (is it the last one?)Does the directory in /home survive a reboot? (/home is in a ramdrive, so it has to be repopulated on reboot)If samba doesn't have this problem, then I would have a look at the file permissions.ls -l /i-data/sysvol/<sharename>AFAIK samba runs as root, but pure-tftpd spawns a subprocess in the logged in users context, so that could cause the difference, if the permissions aren't right.
This user (zK9UKHeN6BOT-9hAvh *****) is in / etc / passwd. I looked at the process manager (command "top") and there is nothing with this user, there is only root, admin, mysql, nobody. User (zK9UKHeN6BOT-9hAvh *****) occupies the last line in the etc / passwd list. sorry for my English, I don't know it at all (((0 -
Can you post that line? Assuming it's a rogue user, I have a hard time to think why this user is added to passwd. To change passwd you need to be root. If some malware runs as root, why would it add a user? The only reason I can think of is that it adds a second root user (in which case the user and group id both are 0), with an own password (in which case the password field is either 'x' (the password is in /etc/shadow) or some hash), or an own homedirectory containing an ssh certificate in .ssh/.This way an injected 'adduser' in some init script could open the box for root shell access from outside.If this user doesn't have a login password, nor a homedirectory containing .ssh/ with a certificate, and there is no process running within it's context, I don't get the purpose.0
-
Mijzelf said:Can you post that line? Assuming it's a rogue user, I have a hard time to think why this user is added to passwd. To change passwd you need to be root. If some malware runs as root, why would it add a user? The only reason I can think of is that it adds a second root user (in which case the user and group id both are 0), with an own password (in which case the password field is either 'x' (the password is in /etc/shadow) or some hash), or an own homedirectory containing an ssh certificate in .ssh/.This way an injected 'adduser' in some init script could open the box for root shell access from outside.If this user doesn't have a login password, nor a homedirectory containing .ssh/ with a certificate, and there is no process running within it's context, I don't get the purpose.zK9UKHeN6BOT-9hAvh*****:x:5001:500:type&portal_dev_owner:/home/zK9UKHeN6BOT-9hAvh*****:/bin/sh
here is the complete line, and in etc/shadow, only root has a character set. All other users have a similar data set. The problematic user has this - zK9UKHeN6BOT-9hAvh*****:!:19004:0:99999:7:::
(for example, here is a user created by me personally - home:!:19004:0:99999:7:::). He has nothing in his home directory /home/0 -
0 -
I found pairs of files in etc that differ by "-" (group and passwd and shadow) Should this be?0
-
That user doesn't have shell access. No password, and no certificate.You can try to find the package causing this:cd /i-data/sysvol/.PKG/grep -r "zK9UKHeN6" *I found pairs of files in etc that differ by "-" (group and passwd and shadow) Should this be?Yes, that is normal. It is the backup of the previous version created by adduser & friends.
0
Guru Member
Categories
- All Categories
- 384 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 79 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 909 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 898 Nebula FAQ
- 415 Security FAQ
- 234 Switch FAQ
- 205 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight
