tracing root cause of new malicious user created

Alicelinux

New Member
Joined
Sep 23, 2018
Messages
23
Reaction score
0
Credits
0
I find a nely created malicious account mbit, it is created by root one week ago, my question is how to identify when the root account is comprised, any steps to follow?

also does the hacker know the root password, if without root password, how can hacker create malicious user, can this be done without root password by using rootkit? thanks
 


First I'd change my root password, then delete this malicious user account. Perhaps even go so far as to create a new user account, make it root, and delete your current root account. Then make sure your router firewall is turned on, and your Linux firewall is enabled.
In most versions to enable the Linux firewall just open the terminal and type:
Code:
sudo ufw enable

You might also do a factory reset on your router, then make sure the router firmware is current, if not update it, after you turn the router firewall on.
 
Thanks for your reply, as my thread is asking the root cause, your answer is more on mitigation part, so I'm investigation how root is comprimised and steps we need to check in order to find root cause, are you able to share idea on this part?
 
Do you use this PC with redhat as part of a business....or home/family use ?
 
How did you discover this account and how did you decide that it was malicious?
Have you run e.g. clamav?
What is the output of: compgen -u
Do you run a media server or watch streamed movies?
Have you downloaded anything using a torrent?
 
I run red hat linux for friends use, it is a ftp server with port 21,22,443, 80 open,I only have few accounts, last sunday, I find a new account mbit is created, then antivirus check and found a lot of malware, I didn't download movie torrent, in etc/passwd, account mbit is there.

correct one thing, I don't know who created this mbit account, is there any way to check? the account appears in compgen -u
 

Members online


Latest posts

Top