default users in CentOs 7 ?? (we get 24 in VPS "new" / "clean")

000

000

Well-Known Member
Jun 3, 2008
533
29
78
hello,

which is the ORIGINAL list of users in CentOs 7 ??

we get 24:
1633018463300.png

you can see we check SIX as malicious users, but may be is five

more important:

history SHELL for user ROOT = empty,
however multiple LOGINS from IPs of ISP

how we can DELETE users foreigns?
for we change ROOT password not is sufficent.

thanks by your help in auditory.

we repeat: VPS is 100% "new", logically ISP manipulate VPS before of delivery, how we can check actions ?



thanks
 
Last edited by a moderator:
000

000

Well-Known Member
Jun 3, 2008
533
29
78
oh god...
this is TERRIBLE:

1633024630446.png

why this ISP need delete (1, 2) ???


please some other trick for get more malicius actios from over this "CLEAN VPS" ??


also you can see: BEFORE of delivery VPS, ISP execute 14 times
Code: 
/usr/sbin/useradd
surely create/delete some user multiple times...

this is VERY dirty actions...
 
cPRex

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,259
2,086
363
cPanel Access Level
Root Administrator
Hey there! From what you've posted, it sounds like the server has been compromised. Since the history shell for root has already been removed, and the server has been root compromised, there is not a reliable way to get accurate information from the system since it has already been tampered with.

The best thing you can do at this point would be to migrate or restore backups to a new server.
 
000

000

Well-Known Member
Jun 3, 2008
533
29
78
cPRex said:
Hey there! From what you've posted, it sounds like the server has been compromised. Since the history shell for root has already been removed, and the server has been root compromised, there is not a reliable way to get accurate information from the system since it has already been tampered with.

The best thing you can do at this point would be to migrate or restore backups to a new server.
Click to expand...
thanks, and know you how many users have a CentOs "CLEAN" ?
 
cPRex

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,259
2,086
363
cPanel Access Level
Root Administrator
Here's what I see on a minimal install of CentOS 7 before cPanel is installed:

Code: 
# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
chrony:x:998:995::/var/lib/chrony:/sbin/nologin
centos:x:1000:1000:centos:/home/centos:/bin/bash
 
000

000

Well-Known Member
Jun 3, 2008
533
29
78
cPRex said:
Here's what I see on a minimal install of CentOS 7 before cPanel is installed:

Code: 
# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
chrony:x:998:995::/var/lib/chrony:/sbin/nologin
centos:x:1000:1000:centos:/home/centos:/bin/bash
Click to expand...
oh master I see 24 in your list, however in OTHER ISP, my CentOs return 18:
Code: 
[[email protected] ~]# cat /etc/passwd | wc -l
18
[[email protected] ~]#
and NEVER we get user "centos":
Code: 
[[email protected] ~]# cat /etc/passwd | cut -d: -f1 | sort
adm
bin
chrony
daemon
dbus
ftp
games
halt
lp
mail
nobody
operator
polkitd
root
shutdown
sshd
sync
systemd-network
[[email protected] ~]#
in this ISP (not the "spy") we have:
Code: 
[[email protected] ~]# more /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[[email protected] ~]#
what distro you have?, maybe CentOs 8 ?
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
S In Progress EA-10889 - mod_security disabled by default? Why? Security 9
M How can i disable access to cgi-sys/defaultwebpage.cgi Security 3
H IP address of AutoSSL does not point to default hostname Security 1
manoaratefy Disable ModSecurity on default vhost Security 3
F users default shell is /bin/bash !!!! security ?? Security 6
Similar threads
In Progress EA-10889 - mod_security disabled by default? Why?
How can i disable access to cgi-sys/defaultwebpage.cgi
IP address of AutoSSL does not point to default hostname
Disable ModSecurity on default vhost
users default shell is /bin/bash !!!! security ??
Top Bottom