tracing root cause of new malicious user created

Alicelinux

New Member
Joined
Sep 23, 2018
Messages
23
Reaction score
0
Credits
0
I find a nely created malicious account mbit, it is created by root one week ago, my question is how to identify when the root account is comprised, any steps to follow?

also does the hacker know the root password, if without root password, how can hacker create malicious user, can this be done without root password by using rootkit? thanks
 


Bayou Bengal

Active Member
Joined
Sep 14, 2017
Messages
189
Reaction score
220
Credits
77
First I'd change my root password, then delete this malicious user account. Perhaps even go so far as to create a new user account, make it root, and delete your current root account. Then make sure your router firewall is turned on, and your Linux firewall is enabled.
In most versions to enable the Linux firewall just open the terminal and type:
Code:
sudo ufw enable

You might also do a factory reset on your router, then make sure the router firmware is current, if not update it, after you turn the router firewall on.
 
OP
A

Alicelinux

New Member
Joined
Sep 23, 2018
Messages
23
Reaction score
0
Credits
0
Thanks for your reply, as my thread is asking the root cause, your answer is more on mitigation part, so I'm investigation how root is comprimised and steps we need to check in order to find root cause, are you able to share idea on this part?
 

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
5,570
Reaction score
4,661
Credits
33,867
Do you use this PC with redhat as part of a business....or home/family use ?
 

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
5,570
Reaction score
4,661
Credits
33,867

arochester

Moderator
Staff member
Gold Supporter
Joined
Apr 25, 2017
Messages
1,689
Reaction score
1,352
Credits
3,462
How did you discover this account and how did you decide that it was malicious?
Have you run e.g. clamav?
What is the output of: compgen -u
Do you run a media server or watch streamed movies?
Have you downloaded anything using a torrent?
 
OP
A

Alicelinux

New Member
Joined
Sep 23, 2018
Messages
23
Reaction score
0
Credits
0
I run red hat linux for friends use, it is a ftp server with port 21,22,443, 80 open,I only have few accounts, last sunday, I find a new account mbit is created, then antivirus check and found a lot of malware, I didn't download movie torrent, in etc/passwd, account mbit is there.

correct one thing, I don't know who created this mbit account, is there any way to check? the account appears in compgen -u
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation


Top