I have a spare server as well sitting around and I was surprised to see what i found. I found an extra user in the /etc/passwd file that had shell access (i did not add this person), and they created an account within the plesk setup (/usr/local/psa/home/vhosts/theirfakedomain/)

Inside of course was some warez. I checked the access to the server and they only accessed by ftp and i also found something they created in the cron tab which was /usr/lib/sa which was some sort of encrypted script that appeared to be running every 10 minutes and it was deleting any backups i put on the server and also logged anyone out of SSH at the time of execution. I searched and did scans for root kits and there wasnt any that i could see and from what i could tell, they never got to root access because they never changed passwords or messed with the server except the couple of files i had on there and then of course their uploads.

So, how did they create the user within redhat especially if they never got to root access or did they and they are hiding it?

The only way I know of a user executing root commands is to have been assigned the relevant permissions with SUDO...


I'm stumped.

If they didn't want to get caught, they wouldn't change the root password or else it would be obvious that the box had been compromised.

I think it would be a really good idea if everyone could step up their security and not lay unused boxes around without being secured because this makes the internet a little less insecure because it creates a platform for attackers to launch their attacks.

/usr/lib/sa is usually there as a directory. (system activity) man sar for details.

The only way to add a user is to do it through root, or your perms on the passwd/shadow file is fet wrong. Check all your processes that are running as root and make sure there isnt a security update for them. Best thing to do is make sure all processes connecting to socket connections do not run as root.