The business was closed yesterday (Sunday) when the following line
"appeared" in the /etc/passwd at 8:35am.


I know that

(1) that line wasn't there on Friday because I added a user in the
afternoon. this "(null)" user appears 36 hours after my last added
user and the file date stamp is 8:35 Yesterday.

(2) everyone with root authority has been contacted. Nobody was in the
system yesterday.

(3) powerchute reboots the server every Sunday at 8am. The system was
fully booted at 8:24am, therefore the change to /etc/passwd happened 11
minutes after the system was booted.

I ran an authck, and found that the (null) user was not part of the
protected database ... FWIW. The system was rebooted since then, so I
can't use the "last" command to see who logged in. They have an
internet connection, but the firewall prevents all inbound connection
to the Unix server. I can telnet and ftp out however.

Nothing odd appears in the /usr/adm/messages or syslog files.

Does this look familiar to anyone? I've worked with SCO for 10,000
years, and this is the first time I've seen (null) in the /etc/passwd,
and the first time a user appeared as if from a divine power.


System Info:

MenuPort Interface (MPI) Package (ver 4.2.0)
Netscape Communicator (ver 4.7.0e)
SCO Advanced File and Print Server 4.0 (ver 4.0.2)
SCO OpenServer Enterprise System (ver 5.0.6j)
SCO Symmetrical Multiprocessing (ver 1.1.1Ga)
SCO AFPS 4.0.2 Supplement APP619B (ver 1.0)

*The system has been running without problem for years. No new
software has been installed for over a year.