Results 1 to 5 of 5
  1. #1
    Join Date
    Nov 2001

    Another interesting hack

    I have a spare server as well sitting around and I was surprised to see what i found. I found an extra user in the /etc/passwd file that had shell access (i did not add this person), and they created an account within the plesk setup (/usr/local/psa/home/vhosts/theirfakedomain/)

    Inside of course was some warez. I checked the access to the server and they only accessed by ftp and i also found something they created in the cron tab which was /usr/lib/sa which was some sort of encrypted script that appeared to be running every 10 minutes and it was deleting any backups i put on the server and also logged anyone out of SSH at the time of execution. I searched and did scans for root kits and there wasnt any that i could see and from what i could tell, they never got to root access because they never changed passwords or messed with the server except the couple of files i had on there and then of course their uploads.

    So, how did they create the user within redhat especially if they never got to root access or did they and they are hiding it?

  2. #2
    Join Date
    Oct 2001
    The only way I know of a user executing root commands is to have been assigned the relevant permissions with SUDO...

    I'm stumped.

  3. #3
    If they didn't want to get caught, they wouldn't change the root password or else it would be obvious that the box had been compromised.

    I think it would be a really good idea if everyone could step up their security and not lay unused boxes around without being secured because this makes the internet a little less insecure because it creates a platform for attackers to launch their attacks.
    Affordable Hosting Solutions

  4. #4
    Join Date
    Jul 2002
    The Big Easy -New Orleans
    /usr/lib/sa is usually there as a directory. (system activity) man sar for details.

  5. #5
    The only way to add a user is to do it through root, or your perms on the passwd/shadow file is fet wrong. Check all your processes that are running as root and make sure there isnt a security update for them. Best thing to do is make sure all processes connecting to socket connections do not run as root.
    Jay Kramer - Operations Manager
    Affordable Colocation and Dedicated Servers 1-877-719-3698

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts