default users in CentOs 7 ?? (we get 24 in VPS "new" / "clean")

000

Well-Known Member
Jun 3, 2008
446
20
68
hello,

which is the ORIGINAL list of users in CentOs 7 ??

we get 24:
1633018463300.png

you can see we check SIX as malicious users, but may be is five

more important:

history SHELL for user ROOT = empty,
however multiple LOGINS from IPs of ISP

how we can DELETE users foreigns?
for we change ROOT password not is sufficent.

thanks by your help in auditory.

we repeat: VPS is 100% "new", logically ISP manipulate VPS before of delivery, how we can check actions ?



thanks
 
Last edited by a moderator:

000

Well-Known Member
Jun 3, 2008
446
20
68
oh god...
this is TERRIBLE:

1633024630446.png

why this ISP need delete (1, 2) ???


please some other trick for get more malicius actios from over this "CLEAN VPS" ??


also you can see: BEFORE of delivery VPS, ISP execute 14 times
Code:
/usr/sbin/useradd
surely create/delete some user multiple times...

this is VERY dirty actions...
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
Hey there! From what you've posted, it sounds like the server has been compromised. Since the history shell for root has already been removed, and the server has been root compromised, there is not a reliable way to get accurate information from the system since it has already been tampered with.

The best thing you can do at this point would be to migrate or restore backups to a new server.
 

000

Well-Known Member
Jun 3, 2008
446
20
68
Hey there! From what you've posted, it sounds like the server has been compromised. Since the history shell for root has already been removed, and the server has been root compromised, there is not a reliable way to get accurate information from the system since it has already been tampered with.

The best thing you can do at this point would be to migrate or restore backups to a new server.
thanks, and know you how many users have a CentOs "CLEAN" ?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
Here's what I see on a minimal install of CentOS 7 before cPanel is installed:

Code:
# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
chrony:x:998:995::/var/lib/chrony:/sbin/nologin
centos:x:1000:1000:centos:/home/centos:/bin/bash
 

000

Well-Known Member
Jun 3, 2008
446
20
68
Here's what I see on a minimal install of CentOS 7 before cPanel is installed:

Code:
# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
chrony:x:998:995::/var/lib/chrony:/sbin/nologin
centos:x:1000:1000:centos:/home/centos:/bin/bash
oh master I see 24 in your list, however in OTHER ISP, my CentOs return 18:
Code:
[[email protected] ~]# cat /etc/passwd | wc -l
18
[[email protected] ~]#
and NEVER we get user "centos":
Code:
[[email protected] ~]# cat /etc/passwd | cut -d: -f1 | sort
adm
bin
chrony
daemon
dbus
ftp
games
halt
lp
mail
nobody
operator
polkitd
root
shutdown
sshd
sync
systemd-network
[[email protected] ~]#
in this ISP (not the "spy") we have:
Code:
[[email protected] ~]# more /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[[email protected] ~]#
what distro you have?, maybe CentOs 8 ?