How to remove hacked account on Ubuntu server












4















My server has 2 accounts are hacked and now if I try to removed them by any way, after that 1 min, they will be re-added automatically with the highest permission in



visudo NOPASSWORD=ALL


So how can I find out the root code do it and remove them forever?










share|improve this question




















  • 2





    Remove the OS completely.. If it's hacked, it's hacked, and there's no 100% sure way to fix everything. Just install new server and start over

    – Sergiy Kolodyazhnyy
    Apr 8 '17 at 16:48











  • @SergiyKolodyazhnyy I disagree. User wants help IDENTIFYING the problem. Not to ignore it and re-install. The smart thing to do is to learn from this so it wont happen again. A re-install does not teach anything.

    – Rinzwind
    Apr 8 '17 at 16:50











  • Thanks for yours comments, I've tried to disable 2 hacked accounts and set fake group for them in visudo so hope this solution able to help my server safe for now. Please give me more any idea else, many thanks.

    – user3160078
    Apr 8 '17 at 16:54











  • @user3160078 dont take too long investigating.

    – Rinzwind
    Apr 8 '17 at 17:02











  • @Rinzwind I agree with you but I still want to remove them rather than disable, this is just my temp solution for now.

    – user3160078
    Apr 8 '17 at 17:51
















4















My server has 2 accounts are hacked and now if I try to removed them by any way, after that 1 min, they will be re-added automatically with the highest permission in



visudo NOPASSWORD=ALL


So how can I find out the root code do it and remove them forever?










share|improve this question




















  • 2





    Remove the OS completely.. If it's hacked, it's hacked, and there's no 100% sure way to fix everything. Just install new server and start over

    – Sergiy Kolodyazhnyy
    Apr 8 '17 at 16:48











  • @SergiyKolodyazhnyy I disagree. User wants help IDENTIFYING the problem. Not to ignore it and re-install. The smart thing to do is to learn from this so it wont happen again. A re-install does not teach anything.

    – Rinzwind
    Apr 8 '17 at 16:50











  • Thanks for yours comments, I've tried to disable 2 hacked accounts and set fake group for them in visudo so hope this solution able to help my server safe for now. Please give me more any idea else, many thanks.

    – user3160078
    Apr 8 '17 at 16:54











  • @user3160078 dont take too long investigating.

    – Rinzwind
    Apr 8 '17 at 17:02











  • @Rinzwind I agree with you but I still want to remove them rather than disable, this is just my temp solution for now.

    – user3160078
    Apr 8 '17 at 17:51














4












4








4








My server has 2 accounts are hacked and now if I try to removed them by any way, after that 1 min, they will be re-added automatically with the highest permission in



visudo NOPASSWORD=ALL


So how can I find out the root code do it and remove them forever?










share|improve this question
















My server has 2 accounts are hacked and now if I try to removed them by any way, after that 1 min, they will be re-added automatically with the highest permission in



visudo NOPASSWORD=ALL


So how can I find out the root code do it and remove them forever?







users accounts






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 8 '17 at 23:43









wittich

805816




805816










asked Apr 8 '17 at 16:29









user3160078user3160078

211




211








  • 2





    Remove the OS completely.. If it's hacked, it's hacked, and there's no 100% sure way to fix everything. Just install new server and start over

    – Sergiy Kolodyazhnyy
    Apr 8 '17 at 16:48











  • @SergiyKolodyazhnyy I disagree. User wants help IDENTIFYING the problem. Not to ignore it and re-install. The smart thing to do is to learn from this so it wont happen again. A re-install does not teach anything.

    – Rinzwind
    Apr 8 '17 at 16:50











  • Thanks for yours comments, I've tried to disable 2 hacked accounts and set fake group for them in visudo so hope this solution able to help my server safe for now. Please give me more any idea else, many thanks.

    – user3160078
    Apr 8 '17 at 16:54











  • @user3160078 dont take too long investigating.

    – Rinzwind
    Apr 8 '17 at 17:02











  • @Rinzwind I agree with you but I still want to remove them rather than disable, this is just my temp solution for now.

    – user3160078
    Apr 8 '17 at 17:51














  • 2





    Remove the OS completely.. If it's hacked, it's hacked, and there's no 100% sure way to fix everything. Just install new server and start over

    – Sergiy Kolodyazhnyy
    Apr 8 '17 at 16:48











  • @SergiyKolodyazhnyy I disagree. User wants help IDENTIFYING the problem. Not to ignore it and re-install. The smart thing to do is to learn from this so it wont happen again. A re-install does not teach anything.

    – Rinzwind
    Apr 8 '17 at 16:50











  • Thanks for yours comments, I've tried to disable 2 hacked accounts and set fake group for them in visudo so hope this solution able to help my server safe for now. Please give me more any idea else, many thanks.

    – user3160078
    Apr 8 '17 at 16:54











  • @user3160078 dont take too long investigating.

    – Rinzwind
    Apr 8 '17 at 17:02











  • @Rinzwind I agree with you but I still want to remove them rather than disable, this is just my temp solution for now.

    – user3160078
    Apr 8 '17 at 17:51








2




2





Remove the OS completely.. If it's hacked, it's hacked, and there's no 100% sure way to fix everything. Just install new server and start over

– Sergiy Kolodyazhnyy
Apr 8 '17 at 16:48





Remove the OS completely.. If it's hacked, it's hacked, and there's no 100% sure way to fix everything. Just install new server and start over

– Sergiy Kolodyazhnyy
Apr 8 '17 at 16:48













@SergiyKolodyazhnyy I disagree. User wants help IDENTIFYING the problem. Not to ignore it and re-install. The smart thing to do is to learn from this so it wont happen again. A re-install does not teach anything.

– Rinzwind
Apr 8 '17 at 16:50





@SergiyKolodyazhnyy I disagree. User wants help IDENTIFYING the problem. Not to ignore it and re-install. The smart thing to do is to learn from this so it wont happen again. A re-install does not teach anything.

– Rinzwind
Apr 8 '17 at 16:50













Thanks for yours comments, I've tried to disable 2 hacked accounts and set fake group for them in visudo so hope this solution able to help my server safe for now. Please give me more any idea else, many thanks.

– user3160078
Apr 8 '17 at 16:54





Thanks for yours comments, I've tried to disable 2 hacked accounts and set fake group for them in visudo so hope this solution able to help my server safe for now. Please give me more any idea else, many thanks.

– user3160078
Apr 8 '17 at 16:54













@user3160078 dont take too long investigating.

– Rinzwind
Apr 8 '17 at 17:02





@user3160078 dont take too long investigating.

– Rinzwind
Apr 8 '17 at 17:02













@Rinzwind I agree with you but I still want to remove them rather than disable, this is just my temp solution for now.

– user3160078
Apr 8 '17 at 17:51





@Rinzwind I agree with you but I still want to remove them rather than disable, this is just my temp solution for now.

– user3160078
Apr 8 '17 at 17:51










2 Answers
2






active

oldest

votes


















1














Sorry to say, but The Only Right Way™ to go is to nuke the machine from orbit.



If a hacker managed to get that deep into your system, you can never know whether you wiped all traces or whether they've still got another ace up the sleeve with which they can regain access.



You should try to investigate how they hacked the system in first place, so that you can patch that security hole later on your new installation, and then completely erase the whole system and install from scratch. Therefore it is the best idea to shut the server down and boot a live system from which you can clone the entire storage. Later you can then examine that image in a secured and locked down environment (no access to the internet or your business networks, etc).



You should also back up only as much data as necessary, but as few as possible, because every file you copy could potentially be infected. Comparing your current data files with those from older backups (you do have periodic backups, right!?) might help to decide what you need and what is in good shape.



Related questions on other Stack Exchange sites:




  • How do I deal with a compromised server?

  • How do you explain the necessity of “nuke it from orbit” to management and users?






share|improve this answer





















  • 2





    As an IT Security professional, this is the tried and true mechanism for responding to a system breach. Hacked accounts aside, you don't know what they did inside the hacked account, or to the system. The only true way is nuke from orbit.

    – Thomas Ward
    Apr 8 '17 at 16:51











  • " because every file you copy could potentially be infected. " That is simply not true. Explain please how /var/log/boot.log or how /var/log/auth.log can be infected?!

    – Rinzwind
    Apr 8 '17 at 17:14






  • 1





    @Rinzwind "every file" might be an oversimplification, but there are ways to embed bad stuff into most file types that get read by any application. Log files should be safe because they just get displayed as plain text and not parsed, but what I actually had in mind is more about actual user data, like documents, databases, images, etc

    – Byte Commander
    Apr 8 '17 at 18:32



















-1















  • Boot up a live session. Do NOT use the system itself.

  • Mount the disks

  • Log in to a terminal session and do sudo -i to get to a prompt


  • Do a search over / with 1 of the names of those accounts



    grep -rnwl '/' -e "{name}"


    where {name} is what you want to find.




    • r: recursive

    • w: match whole word

    • l: only show file names




It will take a while depending on the size of the disk so you could start out searching /home/ instead of the whole disk 1st. But I doubt it will be a file in /home/




  • while you are at it: change your admin password with passwd {accountname}.





  • Also before you do this you can also check /etc/profile, /etc/crontab, crontab -l for weird actions and in your /home the file .bashrc for any action that should not be there




See if you can find out what is happening so you can take precautions so it can't happen again. It is best to re-install though. Heck it is the only sane option Put your personal files on a USB. Make note of software you installed, make note of router logs, and copy all logs files from /var/log so you can check for intrusions when you got your system clean again.



Carefully restore your files (make sure they are what they should be and do not execute any of them before you are sure).





Another thing to do: create a backup of the sudo file, clean it and use inotify to immediately copy a backup file over the changed one. That will hamper whatever they try to do with your system.






share|improve this answer


























  • To the downvoter; please carefully think about why you downvoted. Only a moron would re-install without investigating the issue.

    – Rinzwind
    Apr 8 '17 at 16:52











  • After a security breach, the only tried and true approach is nuke-and-restart. That said, a full disk image of the server, where possible, so they can go back later in a non-networked environment and examine what was done on the system is never a bad idea, however they should still nuke and reload. This is the typical approach. (If the owner of the server or system chooses to not go the forensic approach and just nuke and restart, that's their choice, and they'll learn the next time they're breached to start examining how they were breached.)

    – Thomas Ward
    Apr 8 '17 at 16:52













  • If I were a hacker and had the abilities to get that deep into a system, I doubt I would use a simple cleartext script to recreate my account.

    – Byte Commander
    Apr 8 '17 at 16:53











  • @ThomasWard sure But a re-install should not be the 1st action. The 1st action is to investigate. And then re-install. What if this is not an outside but in inside job. a re-install will erase any evidence.

    – Rinzwind
    Apr 8 '17 at 16:54








  • 1





    @Rinzwind Perhaps you and I should continue this discussion in chat - while I agree that the first step is to investigate, that's in the theory. Investigating a hacked server live is an IT Security 'no no'. A forensic copy of the existing system, then nuking the server and getting it back to 'production ready status' then examining after the fact is the actual approach taken to breached systems, in many cases (including forensic investigations by law enforcement in the USA)

    – Thomas Ward
    Apr 8 '17 at 16:59











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f902600%2fhow-to-remove-hacked-account-on-ubuntu-server%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














Sorry to say, but The Only Right Way™ to go is to nuke the machine from orbit.



If a hacker managed to get that deep into your system, you can never know whether you wiped all traces or whether they've still got another ace up the sleeve with which they can regain access.



You should try to investigate how they hacked the system in first place, so that you can patch that security hole later on your new installation, and then completely erase the whole system and install from scratch. Therefore it is the best idea to shut the server down and boot a live system from which you can clone the entire storage. Later you can then examine that image in a secured and locked down environment (no access to the internet or your business networks, etc).



You should also back up only as much data as necessary, but as few as possible, because every file you copy could potentially be infected. Comparing your current data files with those from older backups (you do have periodic backups, right!?) might help to decide what you need and what is in good shape.



Related questions on other Stack Exchange sites:




  • How do I deal with a compromised server?

  • How do you explain the necessity of “nuke it from orbit” to management and users?






share|improve this answer





















  • 2





    As an IT Security professional, this is the tried and true mechanism for responding to a system breach. Hacked accounts aside, you don't know what they did inside the hacked account, or to the system. The only true way is nuke from orbit.

    – Thomas Ward
    Apr 8 '17 at 16:51











  • " because every file you copy could potentially be infected. " That is simply not true. Explain please how /var/log/boot.log or how /var/log/auth.log can be infected?!

    – Rinzwind
    Apr 8 '17 at 17:14






  • 1





    @Rinzwind "every file" might be an oversimplification, but there are ways to embed bad stuff into most file types that get read by any application. Log files should be safe because they just get displayed as plain text and not parsed, but what I actually had in mind is more about actual user data, like documents, databases, images, etc

    – Byte Commander
    Apr 8 '17 at 18:32
















1














Sorry to say, but The Only Right Way™ to go is to nuke the machine from orbit.



If a hacker managed to get that deep into your system, you can never know whether you wiped all traces or whether they've still got another ace up the sleeve with which they can regain access.



You should try to investigate how they hacked the system in first place, so that you can patch that security hole later on your new installation, and then completely erase the whole system and install from scratch. Therefore it is the best idea to shut the server down and boot a live system from which you can clone the entire storage. Later you can then examine that image in a secured and locked down environment (no access to the internet or your business networks, etc).



You should also back up only as much data as necessary, but as few as possible, because every file you copy could potentially be infected. Comparing your current data files with those from older backups (you do have periodic backups, right!?) might help to decide what you need and what is in good shape.



Related questions on other Stack Exchange sites:




  • How do I deal with a compromised server?

  • How do you explain the necessity of “nuke it from orbit” to management and users?






share|improve this answer





















  • 2





    As an IT Security professional, this is the tried and true mechanism for responding to a system breach. Hacked accounts aside, you don't know what they did inside the hacked account, or to the system. The only true way is nuke from orbit.

    – Thomas Ward
    Apr 8 '17 at 16:51











  • " because every file you copy could potentially be infected. " That is simply not true. Explain please how /var/log/boot.log or how /var/log/auth.log can be infected?!

    – Rinzwind
    Apr 8 '17 at 17:14






  • 1





    @Rinzwind "every file" might be an oversimplification, but there are ways to embed bad stuff into most file types that get read by any application. Log files should be safe because they just get displayed as plain text and not parsed, but what I actually had in mind is more about actual user data, like documents, databases, images, etc

    – Byte Commander
    Apr 8 '17 at 18:32














1












1








1







Sorry to say, but The Only Right Way™ to go is to nuke the machine from orbit.



If a hacker managed to get that deep into your system, you can never know whether you wiped all traces or whether they've still got another ace up the sleeve with which they can regain access.



You should try to investigate how they hacked the system in first place, so that you can patch that security hole later on your new installation, and then completely erase the whole system and install from scratch. Therefore it is the best idea to shut the server down and boot a live system from which you can clone the entire storage. Later you can then examine that image in a secured and locked down environment (no access to the internet or your business networks, etc).



You should also back up only as much data as necessary, but as few as possible, because every file you copy could potentially be infected. Comparing your current data files with those from older backups (you do have periodic backups, right!?) might help to decide what you need and what is in good shape.



Related questions on other Stack Exchange sites:




  • How do I deal with a compromised server?

  • How do you explain the necessity of “nuke it from orbit” to management and users?






share|improve this answer















Sorry to say, but The Only Right Way™ to go is to nuke the machine from orbit.



If a hacker managed to get that deep into your system, you can never know whether you wiped all traces or whether they've still got another ace up the sleeve with which they can regain access.



You should try to investigate how they hacked the system in first place, so that you can patch that security hole later on your new installation, and then completely erase the whole system and install from scratch. Therefore it is the best idea to shut the server down and boot a live system from which you can clone the entire storage. Later you can then examine that image in a secured and locked down environment (no access to the internet or your business networks, etc).



You should also back up only as much data as necessary, but as few as possible, because every file you copy could potentially be infected. Comparing your current data files with those from older backups (you do have periodic backups, right!?) might help to decide what you need and what is in good shape.



Related questions on other Stack Exchange sites:




  • How do I deal with a compromised server?

  • How do you explain the necessity of “nuke it from orbit” to management and users?







share|improve this answer














share|improve this answer



share|improve this answer








edited Apr 8 '17 at 16:56

























answered Apr 8 '17 at 16:46









Byte CommanderByte Commander

65.9k27180306




65.9k27180306








  • 2





    As an IT Security professional, this is the tried and true mechanism for responding to a system breach. Hacked accounts aside, you don't know what they did inside the hacked account, or to the system. The only true way is nuke from orbit.

    – Thomas Ward
    Apr 8 '17 at 16:51











  • " because every file you copy could potentially be infected. " That is simply not true. Explain please how /var/log/boot.log or how /var/log/auth.log can be infected?!

    – Rinzwind
    Apr 8 '17 at 17:14






  • 1





    @Rinzwind "every file" might be an oversimplification, but there are ways to embed bad stuff into most file types that get read by any application. Log files should be safe because they just get displayed as plain text and not parsed, but what I actually had in mind is more about actual user data, like documents, databases, images, etc

    – Byte Commander
    Apr 8 '17 at 18:32














  • 2





    As an IT Security professional, this is the tried and true mechanism for responding to a system breach. Hacked accounts aside, you don't know what they did inside the hacked account, or to the system. The only true way is nuke from orbit.

    – Thomas Ward
    Apr 8 '17 at 16:51











  • " because every file you copy could potentially be infected. " That is simply not true. Explain please how /var/log/boot.log or how /var/log/auth.log can be infected?!

    – Rinzwind
    Apr 8 '17 at 17:14






  • 1





    @Rinzwind "every file" might be an oversimplification, but there are ways to embed bad stuff into most file types that get read by any application. Log files should be safe because they just get displayed as plain text and not parsed, but what I actually had in mind is more about actual user data, like documents, databases, images, etc

    – Byte Commander
    Apr 8 '17 at 18:32








2




2





As an IT Security professional, this is the tried and true mechanism for responding to a system breach. Hacked accounts aside, you don't know what they did inside the hacked account, or to the system. The only true way is nuke from orbit.

– Thomas Ward
Apr 8 '17 at 16:51





As an IT Security professional, this is the tried and true mechanism for responding to a system breach. Hacked accounts aside, you don't know what they did inside the hacked account, or to the system. The only true way is nuke from orbit.

– Thomas Ward
Apr 8 '17 at 16:51













" because every file you copy could potentially be infected. " That is simply not true. Explain please how /var/log/boot.log or how /var/log/auth.log can be infected?!

– Rinzwind
Apr 8 '17 at 17:14





" because every file you copy could potentially be infected. " That is simply not true. Explain please how /var/log/boot.log or how /var/log/auth.log can be infected?!

– Rinzwind
Apr 8 '17 at 17:14




1




1





@Rinzwind "every file" might be an oversimplification, but there are ways to embed bad stuff into most file types that get read by any application. Log files should be safe because they just get displayed as plain text and not parsed, but what I actually had in mind is more about actual user data, like documents, databases, images, etc

– Byte Commander
Apr 8 '17 at 18:32





@Rinzwind "every file" might be an oversimplification, but there are ways to embed bad stuff into most file types that get read by any application. Log files should be safe because they just get displayed as plain text and not parsed, but what I actually had in mind is more about actual user data, like documents, databases, images, etc

– Byte Commander
Apr 8 '17 at 18:32













-1















  • Boot up a live session. Do NOT use the system itself.

  • Mount the disks

  • Log in to a terminal session and do sudo -i to get to a prompt


  • Do a search over / with 1 of the names of those accounts



    grep -rnwl '/' -e "{name}"


    where {name} is what you want to find.




    • r: recursive

    • w: match whole word

    • l: only show file names




It will take a while depending on the size of the disk so you could start out searching /home/ instead of the whole disk 1st. But I doubt it will be a file in /home/




  • while you are at it: change your admin password with passwd {accountname}.





  • Also before you do this you can also check /etc/profile, /etc/crontab, crontab -l for weird actions and in your /home the file .bashrc for any action that should not be there




See if you can find out what is happening so you can take precautions so it can't happen again. It is best to re-install though. Heck it is the only sane option Put your personal files on a USB. Make note of software you installed, make note of router logs, and copy all logs files from /var/log so you can check for intrusions when you got your system clean again.



Carefully restore your files (make sure they are what they should be and do not execute any of them before you are sure).





Another thing to do: create a backup of the sudo file, clean it and use inotify to immediately copy a backup file over the changed one. That will hamper whatever they try to do with your system.






share|improve this answer


























  • To the downvoter; please carefully think about why you downvoted. Only a moron would re-install without investigating the issue.

    – Rinzwind
    Apr 8 '17 at 16:52











  • After a security breach, the only tried and true approach is nuke-and-restart. That said, a full disk image of the server, where possible, so they can go back later in a non-networked environment and examine what was done on the system is never a bad idea, however they should still nuke and reload. This is the typical approach. (If the owner of the server or system chooses to not go the forensic approach and just nuke and restart, that's their choice, and they'll learn the next time they're breached to start examining how they were breached.)

    – Thomas Ward
    Apr 8 '17 at 16:52













  • If I were a hacker and had the abilities to get that deep into a system, I doubt I would use a simple cleartext script to recreate my account.

    – Byte Commander
    Apr 8 '17 at 16:53











  • @ThomasWard sure But a re-install should not be the 1st action. The 1st action is to investigate. And then re-install. What if this is not an outside but in inside job. a re-install will erase any evidence.

    – Rinzwind
    Apr 8 '17 at 16:54








  • 1





    @Rinzwind Perhaps you and I should continue this discussion in chat - while I agree that the first step is to investigate, that's in the theory. Investigating a hacked server live is an IT Security 'no no'. A forensic copy of the existing system, then nuking the server and getting it back to 'production ready status' then examining after the fact is the actual approach taken to breached systems, in many cases (including forensic investigations by law enforcement in the USA)

    – Thomas Ward
    Apr 8 '17 at 16:59
















-1















  • Boot up a live session. Do NOT use the system itself.

  • Mount the disks

  • Log in to a terminal session and do sudo -i to get to a prompt


  • Do a search over / with 1 of the names of those accounts



    grep -rnwl '/' -e "{name}"


    where {name} is what you want to find.




    • r: recursive

    • w: match whole word

    • l: only show file names




It will take a while depending on the size of the disk so you could start out searching /home/ instead of the whole disk 1st. But I doubt it will be a file in /home/




  • while you are at it: change your admin password with passwd {accountname}.





  • Also before you do this you can also check /etc/profile, /etc/crontab, crontab -l for weird actions and in your /home the file .bashrc for any action that should not be there




See if you can find out what is happening so you can take precautions so it can't happen again. It is best to re-install though. Heck it is the only sane option Put your personal files on a USB. Make note of software you installed, make note of router logs, and copy all logs files from /var/log so you can check for intrusions when you got your system clean again.



Carefully restore your files (make sure they are what they should be and do not execute any of them before you are sure).





Another thing to do: create a backup of the sudo file, clean it and use inotify to immediately copy a backup file over the changed one. That will hamper whatever they try to do with your system.






share|improve this answer


























  • To the downvoter; please carefully think about why you downvoted. Only a moron would re-install without investigating the issue.

    – Rinzwind
    Apr 8 '17 at 16:52











  • After a security breach, the only tried and true approach is nuke-and-restart. That said, a full disk image of the server, where possible, so they can go back later in a non-networked environment and examine what was done on the system is never a bad idea, however they should still nuke and reload. This is the typical approach. (If the owner of the server or system chooses to not go the forensic approach and just nuke and restart, that's their choice, and they'll learn the next time they're breached to start examining how they were breached.)

    – Thomas Ward
    Apr 8 '17 at 16:52













  • If I were a hacker and had the abilities to get that deep into a system, I doubt I would use a simple cleartext script to recreate my account.

    – Byte Commander
    Apr 8 '17 at 16:53











  • @ThomasWard sure But a re-install should not be the 1st action. The 1st action is to investigate. And then re-install. What if this is not an outside but in inside job. a re-install will erase any evidence.

    – Rinzwind
    Apr 8 '17 at 16:54








  • 1





    @Rinzwind Perhaps you and I should continue this discussion in chat - while I agree that the first step is to investigate, that's in the theory. Investigating a hacked server live is an IT Security 'no no'. A forensic copy of the existing system, then nuking the server and getting it back to 'production ready status' then examining after the fact is the actual approach taken to breached systems, in many cases (including forensic investigations by law enforcement in the USA)

    – Thomas Ward
    Apr 8 '17 at 16:59














-1












-1








-1








  • Boot up a live session. Do NOT use the system itself.

  • Mount the disks

  • Log in to a terminal session and do sudo -i to get to a prompt


  • Do a search over / with 1 of the names of those accounts



    grep -rnwl '/' -e "{name}"


    where {name} is what you want to find.




    • r: recursive

    • w: match whole word

    • l: only show file names




It will take a while depending on the size of the disk so you could start out searching /home/ instead of the whole disk 1st. But I doubt it will be a file in /home/




  • while you are at it: change your admin password with passwd {accountname}.





  • Also before you do this you can also check /etc/profile, /etc/crontab, crontab -l for weird actions and in your /home the file .bashrc for any action that should not be there




See if you can find out what is happening so you can take precautions so it can't happen again. It is best to re-install though. Heck it is the only sane option Put your personal files on a USB. Make note of software you installed, make note of router logs, and copy all logs files from /var/log so you can check for intrusions when you got your system clean again.



Carefully restore your files (make sure they are what they should be and do not execute any of them before you are sure).





Another thing to do: create a backup of the sudo file, clean it and use inotify to immediately copy a backup file over the changed one. That will hamper whatever they try to do with your system.






share|improve this answer
















  • Boot up a live session. Do NOT use the system itself.

  • Mount the disks

  • Log in to a terminal session and do sudo -i to get to a prompt


  • Do a search over / with 1 of the names of those accounts



    grep -rnwl '/' -e "{name}"


    where {name} is what you want to find.




    • r: recursive

    • w: match whole word

    • l: only show file names




It will take a while depending on the size of the disk so you could start out searching /home/ instead of the whole disk 1st. But I doubt it will be a file in /home/




  • while you are at it: change your admin password with passwd {accountname}.





  • Also before you do this you can also check /etc/profile, /etc/crontab, crontab -l for weird actions and in your /home the file .bashrc for any action that should not be there




See if you can find out what is happening so you can take precautions so it can't happen again. It is best to re-install though. Heck it is the only sane option Put your personal files on a USB. Make note of software you installed, make note of router logs, and copy all logs files from /var/log so you can check for intrusions when you got your system clean again.



Carefully restore your files (make sure they are what they should be and do not execute any of them before you are sure).





Another thing to do: create a backup of the sudo file, clean it and use inotify to immediately copy a backup file over the changed one. That will hamper whatever they try to do with your system.







share|improve this answer














share|improve this answer



share|improve this answer








edited Apr 8 '17 at 17:05

























answered Apr 8 '17 at 16:42









RinzwindRinzwind

208k28400532




208k28400532













  • To the downvoter; please carefully think about why you downvoted. Only a moron would re-install without investigating the issue.

    – Rinzwind
    Apr 8 '17 at 16:52











  • After a security breach, the only tried and true approach is nuke-and-restart. That said, a full disk image of the server, where possible, so they can go back later in a non-networked environment and examine what was done on the system is never a bad idea, however they should still nuke and reload. This is the typical approach. (If the owner of the server or system chooses to not go the forensic approach and just nuke and restart, that's their choice, and they'll learn the next time they're breached to start examining how they were breached.)

    – Thomas Ward
    Apr 8 '17 at 16:52













  • If I were a hacker and had the abilities to get that deep into a system, I doubt I would use a simple cleartext script to recreate my account.

    – Byte Commander
    Apr 8 '17 at 16:53











  • @ThomasWard sure But a re-install should not be the 1st action. The 1st action is to investigate. And then re-install. What if this is not an outside but in inside job. a re-install will erase any evidence.

    – Rinzwind
    Apr 8 '17 at 16:54








  • 1





    @Rinzwind Perhaps you and I should continue this discussion in chat - while I agree that the first step is to investigate, that's in the theory. Investigating a hacked server live is an IT Security 'no no'. A forensic copy of the existing system, then nuking the server and getting it back to 'production ready status' then examining after the fact is the actual approach taken to breached systems, in many cases (including forensic investigations by law enforcement in the USA)

    – Thomas Ward
    Apr 8 '17 at 16:59



















  • To the downvoter; please carefully think about why you downvoted. Only a moron would re-install without investigating the issue.

    – Rinzwind
    Apr 8 '17 at 16:52











  • After a security breach, the only tried and true approach is nuke-and-restart. That said, a full disk image of the server, where possible, so they can go back later in a non-networked environment and examine what was done on the system is never a bad idea, however they should still nuke and reload. This is the typical approach. (If the owner of the server or system chooses to not go the forensic approach and just nuke and restart, that's their choice, and they'll learn the next time they're breached to start examining how they were breached.)

    – Thomas Ward
    Apr 8 '17 at 16:52













  • If I were a hacker and had the abilities to get that deep into a system, I doubt I would use a simple cleartext script to recreate my account.

    – Byte Commander
    Apr 8 '17 at 16:53











  • @ThomasWard sure But a re-install should not be the 1st action. The 1st action is to investigate. And then re-install. What if this is not an outside but in inside job. a re-install will erase any evidence.

    – Rinzwind
    Apr 8 '17 at 16:54








  • 1





    @Rinzwind Perhaps you and I should continue this discussion in chat - while I agree that the first step is to investigate, that's in the theory. Investigating a hacked server live is an IT Security 'no no'. A forensic copy of the existing system, then nuking the server and getting it back to 'production ready status' then examining after the fact is the actual approach taken to breached systems, in many cases (including forensic investigations by law enforcement in the USA)

    – Thomas Ward
    Apr 8 '17 at 16:59

















To the downvoter; please carefully think about why you downvoted. Only a moron would re-install without investigating the issue.

– Rinzwind
Apr 8 '17 at 16:52





To the downvoter; please carefully think about why you downvoted. Only a moron would re-install without investigating the issue.

– Rinzwind
Apr 8 '17 at 16:52













After a security breach, the only tried and true approach is nuke-and-restart. That said, a full disk image of the server, where possible, so they can go back later in a non-networked environment and examine what was done on the system is never a bad idea, however they should still nuke and reload. This is the typical approach. (If the owner of the server or system chooses to not go the forensic approach and just nuke and restart, that's their choice, and they'll learn the next time they're breached to start examining how they were breached.)

– Thomas Ward
Apr 8 '17 at 16:52







After a security breach, the only tried and true approach is nuke-and-restart. That said, a full disk image of the server, where possible, so they can go back later in a non-networked environment and examine what was done on the system is never a bad idea, however they should still nuke and reload. This is the typical approach. (If the owner of the server or system chooses to not go the forensic approach and just nuke and restart, that's their choice, and they'll learn the next time they're breached to start examining how they were breached.)

– Thomas Ward
Apr 8 '17 at 16:52















If I were a hacker and had the abilities to get that deep into a system, I doubt I would use a simple cleartext script to recreate my account.

– Byte Commander
Apr 8 '17 at 16:53





If I were a hacker and had the abilities to get that deep into a system, I doubt I would use a simple cleartext script to recreate my account.

– Byte Commander
Apr 8 '17 at 16:53













@ThomasWard sure But a re-install should not be the 1st action. The 1st action is to investigate. And then re-install. What if this is not an outside but in inside job. a re-install will erase any evidence.

– Rinzwind
Apr 8 '17 at 16:54







@ThomasWard sure But a re-install should not be the 1st action. The 1st action is to investigate. And then re-install. What if this is not an outside but in inside job. a re-install will erase any evidence.

– Rinzwind
Apr 8 '17 at 16:54






1




1





@Rinzwind Perhaps you and I should continue this discussion in chat - while I agree that the first step is to investigate, that's in the theory. Investigating a hacked server live is an IT Security 'no no'. A forensic copy of the existing system, then nuking the server and getting it back to 'production ready status' then examining after the fact is the actual approach taken to breached systems, in many cases (including forensic investigations by law enforcement in the USA)

– Thomas Ward
Apr 8 '17 at 16:59





@Rinzwind Perhaps you and I should continue this discussion in chat - while I agree that the first step is to investigate, that's in the theory. Investigating a hacked server live is an IT Security 'no no'. A forensic copy of the existing system, then nuking the server and getting it back to 'production ready status' then examining after the fact is the actual approach taken to breached systems, in many cases (including forensic investigations by law enforcement in the USA)

– Thomas Ward
Apr 8 '17 at 16:59


















draft saved

draft discarded




















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f902600%2fhow-to-remove-hacked-account-on-ubuntu-server%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

How to change which sound is reproduced for terminal bell?

Can I use Tabulator js library in my java Spring + Thymeleaf project?

Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents