Results 1 to 22 of 22
Thread: hacker get root access
-
11-27-2013, 02:55 PM #1I Like Beer!
- Join Date
- Sep 2008
- Location
- NL,IR
- Posts
- 1,491
hacker get root access
hi every one. i have monitor one of our servers /etc/passwd file and see there are two root privilege user there:
[root@server tmp]# awk -F: '($3 == "0") {print}' /etc/passwd
root:x:0:0:root:/root:/bin/bash
maka:x:0:0::/home/www:/bin/bash
then try to logout and remove user "maka"
after logout user maka , root user (i have login to server eith root password) loged out !!!!
i dont know the reason also i have check new files and find /var/maka folder with several files like:
a common gen-pass.sh go-b mfu.txt pico screen ss
bios.txt freez go-a hpiod pass_file pscan2 secure vuln.txt
any idea ?
-
11-27-2013, 04:45 PM #2Knowledge is all
- Join Date
- Jul 2005
- Location
- here, there, where?
- Posts
- 4,101
So the maka user was set to root's uid/guid, most likely via usermod or perhaps via adduser --uid 0 -o. Though that would mean they had root in some way before hand. Do you have any scripts that do user creation? Is sudo open to any users?
A further security audit would be needed. Logs checked, history, etc (though those can be wiped clean). rkhunter perhaps -- if you already ran it and it hasn't been modified. Contact Rack911 or similar security company for a security audit of the server.
At the end of the day, if the server has indeed been rooted, a restore of data backups to a new install would be the best. Just don't restore system files, just data files. And then the exploit could be hidden in those files.-Steven | Cooini, LLC
"It is the mark of an educated mind to be able to entertain a thought without accepting it" -Aristotle
-
11-27-2013, 04:50 PM #3I Like Beer!
- Join Date
- Sep 2008
- Location
- NL,IR
- Posts
- 1,491
the question is how can i remove this users(which has root access "maka")
-
11-27-2013, 05:02 PM #4Knowledge is all
- Join Date
- Jul 2005
- Location
- here, there, where?
- Posts
- 4,101
userdel maka
Though you might want to change the uid first via usermod else it might cause some issues deleting a uid 0 account.-Steven | Cooini, LLC
"It is the mark of an educated mind to be able to entertain a thought without accepting it" -Aristotle
-
11-27-2013, 08:41 PM #5Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
I would say that box is far more jacked up than it's worth to put your clients' data at risk. I'd suggest wiping it clean and do your best to restore safe backups, go back maybe three/four days if you can afford it. Inspect the backups manually if you have to, and get yourself a malware scanner. See if it finds anything after the restores are complete.
Someone had root access to the box. Full root access. Do you really want to cut corners here?
-
11-27-2013, 08:47 PM #6Web Hosting Guru
- Join Date
- Jul 2013
- Posts
- 296
He got root access using kernel bug and was success in creating root user, you should path all of your software as soon.
-
11-27-2013, 09:32 PM #7Web Hosting Master
- Join Date
- Mar 2005
- Location
- Ten1/0/2
- Posts
- 2,529
Start with Fdisk ... You lost control of root, so you can no longer trust anything installed.
CPanel Shared and Reseller Hosting, OpenVZ VPS Hosting. West Coast (LA) Servers and Nodes
Running Linux since 1.0.8 Kernel!
Providing Internet Services since 1995 and Hosting Since 2004
-
11-28-2013, 02:04 AM #8I Like Beer!
- Join Date
- Sep 2008
- Location
- NL,IR
- Posts
- 1,491
i have update kernel and all software to the last version
i have mention you i had login to server with root username, when try to logout user "maka" server logout me (root) . !!! any idia ?
-
11-28-2013, 06:37 AM #9Disabled
- Join Date
- Apr 2007
- Location
- Everywhere
- Posts
- 273
Try:
usermod -u 10000 maka
Then verify it by running:
id maka
If the UID of user maka is changed successfully to 10000 then you can delete the account by using the "userdel maka" command.
Please note that, They may have placed a backdoor, SSH key or any other hidden users on your server. You need either to move your data to another secure server or ask your server management to investigate it further more for you to determine the best course of actions.
-
11-28-2013, 07:42 AM #10Web Hosting Master
- Join Date
- Mar 2005
- Location
- Ten1/0/2
- Posts
- 2,529
-
11-28-2013, 09:28 AM #11I Like Beer!
- Join Date
- Sep 2008
- Location
- NL,IR
- Posts
- 1,491
[root@server ~]# usermod -u 10000 maka
usermod: user maka is currently logged in
but who command do not show him
-
11-28-2013, 08:34 PM #12Web Hosting Master
- Join Date
- Mar 2005
- Location
- Ten1/0/2
- Posts
- 2,529
How many times do we need to say it - Format this server ASAP - someone else has control of it. If you cannot see them logged in, then they have already replaced binaries to hide themselves. Start with FDISK and re-build this System ASAP -THERE IS NO SAVING IT.
CPanel Shared and Reseller Hosting, OpenVZ VPS Hosting. West Coast (LA) Servers and Nodes
Running Linux since 1.0.8 Kernel!
Providing Internet Services since 1995 and Hosting Since 2004
-
11-29-2013, 03:39 AM #13I Like Beer!
- Join Date
- Sep 2008
- Location
- NL,IR
- Posts
- 1,491
-
11-29-2013, 03:35 PM #14Knowledge is all
- Join Date
- Jul 2005
- Location
- here, there, where?
- Posts
- 4,101
-Steven | Cooini, LLC
"It is the mark of an educated mind to be able to entertain a thought without accepting it" -Aristotle
-
12-01-2013, 12:51 AM #15I Like Beer!
- Join Date
- Sep 2008
- Location
- NL,IR
- Posts
- 1,491
the problem is i cant find session id of hacker
-
12-01-2013, 02:30 AM #16Disabled
- Join Date
- Mar 2007
- Posts
- 365
1. check startup/shutdown scripts
2. limit SSH access with firewall
3. do a quick reboot
-
12-01-2013, 03:53 AM #17Web Hosting Master
- Join Date
- May 2004
- Posts
- 1,667
Did you try running 'w'? Under TTY, you should see something like "pts/0" for one session, and "pts/1" for another. Based on your username (or IP), you can tell which one is you, and which is the other user. Then run, 'ps aux --forest | grep ssh'. You should get some lines, and one of them will have the "pts/#" of the other user, then kill that PID.
Anyway it sounds like it would be a good idea to do a complete wipe and reinstall of the OS, and hire someone to teach you better security. Once you are root compromised, even with everything patched you cannot be certain no backdoors are left.Last edited by Lev; 12-01-2013 at 03:57 AM.
-
12-01-2013, 06:22 AM #18Temporarily Suspended
- Join Date
- Dec 2013
- Posts
- 10
Reload the OS Immediately! I hope that you have backups!
-
12-01-2013, 02:56 PM #19I Like Beer!
- Join Date
- Sep 2008
- Location
- NL,IR
- Posts
- 1,491
i want to know why i cant remove another unwanted root priv user. check these outputs
[root@server ~]# w
19:53:09 up 4 days, 8:41, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 55.41.4f.static. Wed19 0.00s 0.16s 0.00s w
[root@server ~]# awk -F: '($3 == "0") {print}' /etc/passwd
root:x:0:0:root:/root:/bin/bash
maka:x:0:0::/home/www:/bin/bash
[root@server ~]# userdel maka
userdel: user maka is currently logged in
-
12-01-2013, 04:02 PM #20Junior Guru Wannabe
- Join Date
- Aug 2009
- Location
- EU
- Posts
- 44
user maka is already logged in. As other told you, you don't see it logged in, as some system commands had already been replaced by modified ones which hide him. Probably system commands like ps/ls/w/who/netstat have already been replaced on your system.
You can start by:
- limiting ssh access from firewall (or limit everything and permit just what you trust)
- replace w/who/ps/netstat/ls binary from trusted source - after that you should see him logged in and using ps get his bash PID and kill it. After killing his shell you should be able to delete this user.
And of course start cleaning (here i think analyzing files in /var/maka could help and may give you a clue on what has been modified in your system) but this can take you a lot of time so, if you have backup, better restore from it.
-
12-02-2013, 04:18 PM #21Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
You can't delete it because the user maka has UID 0. You are logged into root which has UID 0, so it picks up your root user as being logged in when you try to delete maka.
Change the userid and groupid for maka to something that is not currently used, and you will be able to remove it.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
12-02-2013, 04:47 PM #22Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
Okay, just keep in mind that while the suggestions over the past couple of days are a good basic starting point going forward. At present, it doesn't really make much difference one way or another because the server was rooted. I don't understand why things like this become so complex when the whole thing could have easily been restored/resolved in about a day.
If there's something else going on like no backups, then go over to R-Fx and download Maldet and and see what's been hit: https://www.rfxn.com/projects/linux-malware-detect/
At least you can get an idea of the damage. Even then -- I don't think I'd keep it online or trust the integrity of the backups.
The more you poke around trying to get rid of it, is just going to screw up the chances of finding any recoverable data.
Maybe I'm not computing so early in the week -- all due respect, but I get the feeling there's no disaster recovery in place. I mean, nobody's perfect but you've got something yes?
Last edited by Johnny Cache; 12-02-2013 at 04:51 PM.
Similar Threads
-
Do resellers gets root access or some kind of less retricted shell access?
By geekinfinance in forum Web HostingReplies: 6Last Post: 02-25-2011, 08:28 PM -
Hacker got root password
By jmhost in forum Hosting Security and TechnologyReplies: 20Last Post: 05-18-2009, 11:43 PM -
Restrict Root Access and Give user access in PureFTP
By stooley in forum Hosting Security and TechnologyReplies: 1Last Post: 03-03-2006, 03:19 AM -
How can i add another root ( user with full root access) ?
By learnerman in forum Hosting Security and TechnologyReplies: 7Last Post: 06-06-2005, 06:42 PM -
Help! Hacker gaining access to the server!
By web12 in forum Hosting Security and TechnologyReplies: 22Last Post: 06-13-2003, 05:14 AM