Results 1 to 22 of 22
  1. #1
    Join Date
    Sep 2008
    Location
    NL,IR
    Posts
    1,491

    hacker get root access

    hi every one. i have monitor one of our servers /etc/passwd file and see there are two root privilege user there:

    [root@server tmp]# awk -F: '($3 == "0") {print}' /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    maka:x:0:0::/home/www:/bin/bash

    then try to logout and remove user "maka"
    after logout user maka , root user (i have login to server eith root password) loged out !!!!

    i dont know the reason also i have check new files and find /var/maka folder with several files like:

    a common gen-pass.sh go-b mfu.txt pico screen ss
    bios.txt freez go-a hpiod pass_file pscan2 secure vuln.txt

    any idea ?

  2. #2
    Join Date
    Jul 2005
    Location
    here, there, where?
    Posts
    4,101
    So the maka user was set to root's uid/guid, most likely via usermod or perhaps via adduser --uid 0 -o. Though that would mean they had root in some way before hand. Do you have any scripts that do user creation? Is sudo open to any users?

    A further security audit would be needed. Logs checked, history, etc (though those can be wiped clean). rkhunter perhaps -- if you already ran it and it hasn't been modified. Contact Rack911 or similar security company for a security audit of the server.

    At the end of the day, if the server has indeed been rooted, a restore of data backups to a new install would be the best. Just don't restore system files, just data files. And then the exploit could be hidden in those files.
    -Steven | Cooini, LLC
    "It is the mark of an educated mind to be able to entertain a thought without accepting it" -Aristotle

  3. #3
    Join Date
    Sep 2008
    Location
    NL,IR
    Posts
    1,491
    the question is how can i remove this users(which has root access "maka")

  4. #4
    Join Date
    Jul 2005
    Location
    here, there, where?
    Posts
    4,101
    userdel maka

    Though you might want to change the uid first via usermod else it might cause some issues deleting a uid 0 account.
    -Steven | Cooini, LLC
    "It is the mark of an educated mind to be able to entertain a thought without accepting it" -Aristotle

  5. #5
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    I would say that box is far more jacked up than it's worth to put your clients' data at risk. I'd suggest wiping it clean and do your best to restore safe backups, go back maybe three/four days if you can afford it. Inspect the backups manually if you have to, and get yourself a malware scanner. See if it finds anything after the restores are complete.

    Someone had root access to the box. Full root access. Do you really want to cut corners here?

  6. #6
    Join Date
    Jul 2013
    Posts
    296
    He got root access using kernel bug and was success in creating root user, you should path all of your software as soon.

  7. #7
    Join Date
    Mar 2005
    Location
    Ten1/0/2
    Posts
    2,529
    Start with Fdisk ... You lost control of root, so you can no longer trust anything installed.
    CPanel Shared and Reseller Hosting, OpenVZ VPS Hosting. West Coast (LA) Servers and Nodes
    Running Linux since 1.0.8 Kernel!
    Providing Internet Services since 1995 and Hosting Since 2004

  8. #8
    Join Date
    Sep 2008
    Location
    NL,IR
    Posts
    1,491
    i have update kernel and all software to the last version
    i have mention you i had login to server with root username, when try to logout user "maka" server logout me (root) . !!! any idia ?

  9. #9
    Join Date
    Apr 2007
    Location
    Everywhere
    Posts
    273
    Quote Originally Posted by mixmox View Post
    i have update kernel and all software to the last version
    i have mention you i had login to server with root username, when try to logout user "maka" server logout me (root) . !!! any idia ?
    Try:

    usermod -u 10000 maka

    Then verify it by running:

    id maka

    If the UID of user maka is changed successfully to 10000 then you can delete the account by using the "userdel maka" command.

    Please note that, They may have placed a backdoor, SSH key or any other hidden users on your server. You need either to move your data to another secure server or ask your server management to investigate it further more for you to determine the best course of actions.

  10. #10
    Join Date
    Mar 2005
    Location
    Ten1/0/2
    Posts
    2,529
    Quote Originally Posted by mixmox View Post
    i have update kernel and all software to the last version
    i have mention you i had login to server with root username, when try to logout user "maka" server logout me (root) . !!! any idia ?
    I think I covered this already....

    Quote Originally Posted by RRWH View Post
    Start with Fdisk ... You lost control of root, so you can no longer trust anything installed.
    CPanel Shared and Reseller Hosting, OpenVZ VPS Hosting. West Coast (LA) Servers and Nodes
    Running Linux since 1.0.8 Kernel!
    Providing Internet Services since 1995 and Hosting Since 2004

  11. #11
    Join Date
    Sep 2008
    Location
    NL,IR
    Posts
    1,491
    [root@server ~]# usermod -u 10000 maka
    usermod: user maka is currently logged in

    but who command do not show him

  12. #12
    Join Date
    Mar 2005
    Location
    Ten1/0/2
    Posts
    2,529
    How many times do we need to say it - Format this server ASAP - someone else has control of it. If you cannot see them logged in, then they have already replaced binaries to hide themselves. Start with FDISK and re-build this System ASAP -THERE IS NO SAVING IT.
    CPanel Shared and Reseller Hosting, OpenVZ VPS Hosting. West Coast (LA) Servers and Nodes
    Running Linux since 1.0.8 Kernel!
    Providing Internet Services since 1995 and Hosting Since 2004

  13. #13
    Join Date
    Sep 2008
    Location
    NL,IR
    Posts
    1,491
    Quote Originally Posted by RRWH View Post
    How many times do we need to say it - Format this server ASAP - someone else has control of it. If you cannot see them logged in, then they have already replaced binaries to hide themselves. Start with FDISK and re-build this System ASAP -THERE IS NO SAVING IT.
    i know i have to format the server and i will, i want to know the reason i cant logout the attacker, why run "logout maka" force "logout root" too
    any idea wich binery files have been modified and more about this attack,

  14. #14
    Join Date
    Jul 2005
    Location
    here, there, where?
    Posts
    4,101
    Quote Originally Posted by mixmox View Post
    i know i have to format the server and i will, i want to know the reason i cant logout the attacker, why run "logout maka" force "logout root" too[...]
    Logout is to logout of the current session, the one you're using. You would kill their session via a kill command and kill their session pid.
    -Steven | Cooini, LLC
    "It is the mark of an educated mind to be able to entertain a thought without accepting it" -Aristotle

  15. #15
    Join Date
    Sep 2008
    Location
    NL,IR
    Posts
    1,491
    the problem is i cant find session id of hacker

  16. #16
    1. check startup/shutdown scripts
    2. limit SSH access with firewall
    3. do a quick reboot

  17. #17
    Join Date
    May 2004
    Posts
    1,667
    Quote Originally Posted by mixmox View Post
    the problem is i cant find session id of hacker
    Did you try running 'w'? Under TTY, you should see something like "pts/0" for one session, and "pts/1" for another. Based on your username (or IP), you can tell which one is you, and which is the other user. Then run, 'ps aux --forest | grep ssh'. You should get some lines, and one of them will have the "pts/#" of the other user, then kill that PID.

    Anyway it sounds like it would be a good idea to do a complete wipe and reinstall of the OS, and hire someone to teach you better security. Once you are root compromised, even with everything patched you cannot be certain no backdoors are left.
    Last edited by Lev; 12-01-2013 at 03:57 AM.

  18. #18
    Reload the OS Immediately! I hope that you have backups!

  19. #19
    Join Date
    Sep 2008
    Location
    NL,IR
    Posts
    1,491
    i want to know why i cant remove another unwanted root priv user. check these outputs

    [root@server ~]# w
    19:53:09 up 4 days, 8:41, 1 user, load average: 0.00, 0.00, 0.00
    USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
    root pts/0 55.41.4f.static. Wed19 0.00s 0.16s 0.00s w


    [root@server ~]# awk -F: '($3 == "0") {print}' /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    maka:x:0:0::/home/www:/bin/bash


    [root@server ~]# userdel maka
    userdel: user maka is currently logged in

  20. #20
    Join Date
    Aug 2009
    Location
    EU
    Posts
    44
    user maka is already logged in. As other told you, you don't see it logged in, as some system commands had already been replaced by modified ones which hide him. Probably system commands like ps/ls/w/who/netstat have already been replaced on your system.

    You can start by:
    - limiting ssh access from firewall (or limit everything and permit just what you trust)
    - replace w/who/ps/netstat/ls binary from trusted source - after that you should see him logged in and using ps get his bash PID and kill it. After killing his shell you should be able to delete this user.

    And of course start cleaning (here i think analyzing files in /var/maka could help and may give you a clue on what has been modified in your system) but this can take you a lot of time so, if you have backup, better restore from it.
    Network Consultant
    Domain Registration Services - Register-ONE.com
    Bitcoin.de

  21. #21
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    You can't delete it because the user maka has UID 0. You are logged into root which has UID 0, so it picks up your root user as being logged in when you try to delete maka.

    Change the userid and groupid for maka to something that is not currently used, and you will be able to remove it.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  22. #22
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    Okay, just keep in mind that while the suggestions over the past couple of days are a good basic starting point going forward. At present, it doesn't really make much difference one way or another because the server was rooted. I don't understand why things like this become so complex when the whole thing could have easily been restored/resolved in about a day.

    If there's something else going on like no backups, then go over to R-Fx and download Maldet and and see what's been hit: https://www.rfxn.com/projects/linux-malware-detect/
    At least you can get an idea of the damage. Even then -- I don't think I'd keep it online or trust the integrity of the backups.

    The more you poke around trying to get rid of it, is just going to screw up the chances of finding any recoverable data.

    Maybe I'm not computing so early in the week -- all due respect, but I get the feeling there's no disaster recovery in place. I mean, nobody's perfect but you've got something yes?
    Last edited by Johnny Cache; 12-02-2013 at 04:51 PM.

Similar Threads

  1. Replies: 6
    Last Post: 02-25-2011, 08:28 PM
  2. Hacker got root password
    By jmhost in forum Hosting Security and Technology
    Replies: 20
    Last Post: 05-18-2009, 11:43 PM
  3. Restrict Root Access and Give user access in PureFTP
    By stooley in forum Hosting Security and Technology
    Replies: 1
    Last Post: 03-03-2006, 03:19 AM
  4. How can i add another root ( user with full root access) ?
    By learnerman in forum Hosting Security and Technology
    Replies: 7
    Last Post: 06-06-2005, 06:42 PM
  5. Help! Hacker gaining access to the server!
    By web12 in forum Hosting Security and Technology
    Replies: 22
    Last Post: 06-13-2003, 05:14 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •