How to remove hacked account on Ubuntu server
My server has 2 accounts are hacked and now if I try to removed them by any way, after that 1 min, they will be re-added automatically with the highest permission in
visudo NOPASSWORD=ALL
So how can I find out the root code do it and remove them forever?
users accounts
edited Apr 8 '17 at 23:43
wittich
805816
asked Apr 8 '17 at 16:29
user3160078user3160078
211
|
show 1 more comment
My server has 2 accounts are hacked and now if I try to removed them by any way, after that 1 min, they will be re-added automatically with the highest permission in
visudo NOPASSWORD=ALL
So how can I find out the root code do it and remove them forever?
users accounts
edited Apr 8 '17 at 23:43
wittich
805816
asked Apr 8 '17 at 16:29
user3160078user3160078
211
2
Remove the OS completely.. If it's hacked, it's hacked, and there's no 100% sure way to fix everything. Just install new server and start over
– Sergiy Kolodyazhnyy
Apr 8 '17 at 16:48
@SergiyKolodyazhnyy I disagree. User wants help IDENTIFYING the problem. Not to ignore it and re-install. The smart thing to do is to learn from this so it wont happen again. A re-install does not teach anything.
– Rinzwind
Apr 8 '17 at 16:50
Thanks for yours comments, I've tried to disable 2 hacked accounts and set fake group for them in visudo so hope this solution able to help my server safe for now. Please give me more any idea else, many thanks.
– user3160078
Apr 8 '17 at 16:54
@user3160078 dont take too long investigating.
– Rinzwind
Apr 8 '17 at 17:02
@Rinzwind I agree with you but I still want to remove them rather than disable, this is just my temp solution for now.
– user3160078
Apr 8 '17 at 17:51
|
show 1 more comment
My server has 2 accounts are hacked and now if I try to removed them by any way, after that 1 min, they will be re-added automatically with the highest permission in
visudo NOPASSWORD=ALL
So how can I find out the root code do it and remove them forever?
users accounts
edited Apr 8 '17 at 23:43
wittich
805816
asked Apr 8 '17 at 16:29
user3160078user3160078
211
My server has 2 accounts are hacked and now if I try to removed them by any way, after that 1 min, they will be re-added automatically with the highest permission in
visudo NOPASSWORD=ALL
So how can I find out the root code do it and remove them forever?
users accounts
users accounts
edited Apr 8 '17 at 23:43
wittich
805816
asked Apr 8 '17 at 16:29
user3160078user3160078
211
edited Apr 8 '17 at 23:43
wittich
805816
asked Apr 8 '17 at 16:29
user3160078user3160078
211
edited Apr 8 '17 at 23:43
wittich
805816
edited Apr 8 '17 at 23:43
wittich
805816
edited Apr 8 '17 at 23:43
wittich
805816
805816
asked Apr 8 '17 at 16:29
user3160078user3160078
211
asked Apr 8 '17 at 16:29
user3160078user3160078
211
asked Apr 8 '17 at 16:29
user3160078user3160078
211
211
2
Remove the OS completely.. If it's hacked, it's hacked, and there's no 100% sure way to fix everything. Just install new server and start over
– Sergiy Kolodyazhnyy
Apr 8 '17 at 16:48
@SergiyKolodyazhnyy I disagree. User wants help IDENTIFYING the problem. Not to ignore it and re-install. The smart thing to do is to learn from this so it wont happen again. A re-install does not teach anything.
– Rinzwind
Apr 8 '17 at 16:50
Thanks for yours comments, I've tried to disable 2 hacked accounts and set fake group for them in visudo so hope this solution able to help my server safe for now. Please give me more any idea else, many thanks.
– user3160078
Apr 8 '17 at 16:54
@user3160078 dont take too long investigating.
– Rinzwind
Apr 8 '17 at 17:02
@Rinzwind I agree with you but I still want to remove them rather than disable, this is just my temp solution for now.
– user3160078
Apr 8 '17 at 17:51
|
show 1 more comment
2
Remove the OS completely.. If it's hacked, it's hacked, and there's no 100% sure way to fix everything. Just install new server and start over
– Sergiy Kolodyazhnyy
Apr 8 '17 at 16:48
@SergiyKolodyazhnyy I disagree. User wants help IDENTIFYING the problem. Not to ignore it and re-install. The smart thing to do is to learn from this so it wont happen again. A re-install does not teach anything.
– Rinzwind
Apr 8 '17 at 16:50
Thanks for yours comments, I've tried to disable 2 hacked accounts and set fake group for them in visudo so hope this solution able to help my server safe for now. Please give me more any idea else, many thanks.
– user3160078
Apr 8 '17 at 16:54
@user3160078 dont take too long investigating.
– Rinzwind
Apr 8 '17 at 17:02
@Rinzwind I agree with you but I still want to remove them rather than disable, this is just my temp solution for now.
– user3160078
Apr 8 '17 at 17:51
2
2
Remove the OS completely.. If it's hacked, it's hacked, and there's no 100% sure way to fix everything. Just install new server and start over
– Sergiy Kolodyazhnyy
Apr 8 '17 at 16:48
Remove the OS completely.. If it's hacked, it's hacked, and there's no 100% sure way to fix everything. Just install new server and start over
– Sergiy Kolodyazhnyy
Apr 8 '17 at 16:48
@SergiyKolodyazhnyy I disagree. User wants help IDENTIFYING the problem. Not to ignore it and re-install. The smart thing to do is to learn from this so it wont happen again. A re-install does not teach anything.
– Rinzwind
Apr 8 '17 at 16:50
@SergiyKolodyazhnyy I disagree. User wants help IDENTIFYING the problem. Not to ignore it and re-install. The smart thing to do is to learn from this so it wont happen again. A re-install does not teach anything.
– Rinzwind
Apr 8 '17 at 16:50
Thanks for yours comments, I've tried to disable 2 hacked accounts and set fake group for them in visudo so hope this solution able to help my server safe for now. Please give me more any idea else, many thanks.
– user3160078
Apr 8 '17 at 16:54
Thanks for yours comments, I've tried to disable 2 hacked accounts and set fake group for them in visudo so hope this solution able to help my server safe for now. Please give me more any idea else, many thanks.
– user3160078
Apr 8 '17 at 16:54
@user3160078 dont take too long investigating.
– Rinzwind
Apr 8 '17 at 17:02
@user3160078 dont take too long investigating.
– Rinzwind
Apr 8 '17 at 17:02
@Rinzwind I agree with you but I still want to remove them rather than disable, this is just my temp solution for now.
– user3160078
Apr 8 '17 at 17:51
@Rinzwind I agree with you but I still want to remove them rather than disable, this is just my temp solution for now.
– user3160078
Apr 8 '17 at 17:51
|
show 1 more comment
2 Answers
2
active
oldest
votes
Sorry to say, but The Only Right Way™ to go is to nuke the machine from orbit.
If a hacker managed to get that deep into your system, you can never know whether you wiped all traces or whether they've still got another ace up the sleeve with which they can regain access.
You should try to investigate how they hacked the system in first place, so that you can patch that security hole later on your new installation, and then completely erase the whole system and install from scratch. Therefore it is the best idea to shut the server down and boot a live system from which you can clone the entire storage. Later you can then examine that image in a secured and locked down environment (no access to the internet or your business networks, etc).
You should also back up only as much data as necessary, but as few as possible, because every file you copy could potentially be infected. Comparing your current data files with those from older backups (you do have periodic backups, right!?) might help to decide what you need and what is in good shape.
Related questions on other Stack Exchange sites:
- How do I deal with a compromised server?
- How do you explain the necessity of “nuke it from orbit” to management and users?
answered Apr 8 '17 at 16:46
Byte CommanderByte Commander
65.9k27180306
2
As an IT Security professional, this is the tried and true mechanism for responding to a system breach. Hacked accounts aside, you don't know what they did inside the hacked account, or to the system. The only true way is nuke from orbit.
– Thomas Ward♦
Apr 8 '17 at 16:51
" because every file you copy could potentially be infected. " That is simply not true. Explain please how /var/log/boot.log or how /var/log/auth.log can be infected?!
– Rinzwind
Apr 8 '17 at 17:14
1
@Rinzwind "every file" might be an oversimplification, but there are ways to embed bad stuff into most file types that get read by any application. Log files should be safe because they just get displayed as plain text and not parsed, but what I actually had in mind is more about actual user data, like documents, databases, images, etc
– Byte Commander
Apr 8 '17 at 18:32
add a comment |
- Boot up a live session. Do NOT use the system itself.
- Mount the disks
- Log in to a terminal session and do
sudo -ito get to a prompt
Do a search over / with 1 of the names of those accounts
grep -rnwl '/' -e "{name}"
where {name} is what you want to find.
- r: recursive
- w: match whole word
- l: only show file names
It will take a while depending on the size of the disk so you could start out searching /home/ instead of the whole disk 1st. But I doubt it will be a file in /home/
- while you are at it: change your admin password with
passwd {accountname}.
- Also before you do this you can also check
/etc/profile,/etc/crontab,crontab -lfor weird actions and in your /home the file.bashrcfor any action that should not be there
See if you can find out what is happening so you can take precautions so it can't happen again. It is best to re-install though. Heck it is the only sane option Put your personal files on a USB. Make note of software you installed, make note of router logs, and copy all logs files from /var/log so you can check for intrusions when you got your system clean again.
Carefully restore your files (make sure they are what they should be and do not execute any of them before you are sure).
Another thing to do: create a backup of the sudo file, clean it and use inotify to immediately copy a backup file over the changed one. That will hamper whatever they try to do with your system.
answered Apr 8 '17 at 16:42
RinzwindRinzwind
208k28400532
To the downvoter; please carefully think about why you downvoted. Only a moron would re-install without investigating the issue.
– Rinzwind
Apr 8 '17 at 16:52
After a security breach, the only tried and true approach is nuke-and-restart. That said, a full disk image of the server, where possible, so they can go back later in a non-networked environment and examine what was done on the system is never a bad idea, however they should still nuke and reload. This is the typical approach. (If the owner of the server or system chooses to not go the forensic approach and just nuke and restart, that's their choice, and they'll learn the next time they're breached to start examining how they were breached.)
– Thomas Ward♦
Apr 8 '17 at 16:52
If I were a hacker and had the abilities to get that deep into a system, I doubt I would use a simple cleartext script to recreate my account.
– Byte Commander
Apr 8 '17 at 16:53
@ThomasWard sure But a re-install should not be the 1st action. The 1st action is to investigate. And then re-install. What if this is not an outside but in inside job. a re-install will erase any evidence.
– Rinzwind
Apr 8 '17 at 16:54
1
@Rinzwind Perhaps you and I should continue this discussion in chat - while I agree that the first step is to investigate, that's in the theory. Investigating a hacked server live is an IT Security 'no no'. A forensic copy of the existing system, then nuking the server and getting it back to 'production ready status' then examining after the fact is the actual approach taken to breached systems, in many cases (including forensic investigations by law enforcement in the USA)
– Thomas Ward♦
Apr 8 '17 at 16:59
|
show 3 more comments
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f902600%2fhow-to-remove-hacked-account-on-ubuntu-server%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sorry to say, but The Only Right Way™ to go is to nuke the machine from orbit.
If a hacker managed to get that deep into your system, you can never know whether you wiped all traces or whether they've still got another ace up the sleeve with which they can regain access.
You should try to investigate how they hacked the system in first place, so that you can patch that security hole later on your new installation, and then completely erase the whole system and install from scratch. Therefore it is the best idea to shut the server down and boot a live system from which you can clone the entire storage. Later you can then examine that image in a secured and locked down environment (no access to the internet or your business networks, etc).
You should also back up only as much data as necessary, but as few as possible, because every file you copy could potentially be infected. Comparing your current data files with those from older backups (you do have periodic backups, right!?) might help to decide what you need and what is in good shape.
Related questions on other Stack Exchange sites:
- How do I deal with a compromised server?
- How do you explain the necessity of “nuke it from orbit” to management and users?
answered Apr 8 '17 at 16:46
Byte CommanderByte Commander
65.9k27180306
2
As an IT Security professional, this is the tried and true mechanism for responding to a system breach. Hacked accounts aside, you don't know what they did inside the hacked account, or to the system. The only true way is nuke from orbit.
– Thomas Ward♦
Apr 8 '17 at 16:51
" because every file you copy could potentially be infected. " That is simply not true. Explain please how /var/log/boot.log or how /var/log/auth.log can be infected?!
– Rinzwind
Apr 8 '17 at 17:14
1
@Rinzwind "every file" might be an oversimplification, but there are ways to embed bad stuff into most file types that get read by any application. Log files should be safe because they just get displayed as plain text and not parsed, but what I actually had in mind is more about actual user data, like documents, databases, images, etc
– Byte Commander
Apr 8 '17 at 18:32
add a comment |
Sorry to say, but The Only Right Way™ to go is to nuke the machine from orbit.
If a hacker managed to get that deep into your system, you can never know whether you wiped all traces or whether they've still got another ace up the sleeve with which they can regain access.
You should try to investigate how they hacked the system in first place, so that you can patch that security hole later on your new installation, and then completely erase the whole system and install from scratch. Therefore it is the best idea to shut the server down and boot a live system from which you can clone the entire storage. Later you can then examine that image in a secured and locked down environment (no access to the internet or your business networks, etc).
You should also back up only as much data as necessary, but as few as possible, because every file you copy could potentially be infected. Comparing your current data files with those from older backups (you do have periodic backups, right!?) might help to decide what you need and what is in good shape.
Related questions on other Stack Exchange sites:
- How do I deal with a compromised server?
- How do you explain the necessity of “nuke it from orbit” to management and users?
answered Apr 8 '17 at 16:46
Byte CommanderByte Commander
65.9k27180306
2
As an IT Security professional, this is the tried and true mechanism for responding to a system breach. Hacked accounts aside, you don't know what they did inside the hacked account, or to the system. The only true way is nuke from orbit.
– Thomas Ward♦
Apr 8 '17 at 16:51
" because every file you copy could potentially be infected. " That is simply not true. Explain please how /var/log/boot.log or how /var/log/auth.log can be infected?!
– Rinzwind
Apr 8 '17 at 17:14
1
@Rinzwind "every file" might be an oversimplification, but there are ways to embed bad stuff into most file types that get read by any application. Log files should be safe because they just get displayed as plain text and not parsed, but what I actually had in mind is more about actual user data, like documents, databases, images, etc
– Byte Commander
Apr 8 '17 at 18:32
add a comment |
Sorry to say, but The Only Right Way™ to go is to nuke the machine from orbit.
If a hacker managed to get that deep into your system, you can never know whether you wiped all traces or whether they've still got another ace up the sleeve with which they can regain access.
You should try to investigate how they hacked the system in first place, so that you can patch that security hole later on your new installation, and then completely erase the whole system and install from scratch. Therefore it is the best idea to shut the server down and boot a live system from which you can clone the entire storage. Later you can then examine that image in a secured and locked down environment (no access to the internet or your business networks, etc).
You should also back up only as much data as necessary, but as few as possible, because every file you copy could potentially be infected. Comparing your current data files with those from older backups (you do have periodic backups, right!?) might help to decide what you need and what is in good shape.
Related questions on other Stack Exchange sites:
- How do I deal with a compromised server?
- How do you explain the necessity of “nuke it from orbit” to management and users?
answered Apr 8 '17 at 16:46
Byte CommanderByte Commander
65.9k27180306
Sorry to say, but The Only Right Way™ to go is to nuke the machine from orbit.
If a hacker managed to get that deep into your system, you can never know whether you wiped all traces or whether they've still got another ace up the sleeve with which they can regain access.
You should try to investigate how they hacked the system in first place, so that you can patch that security hole later on your new installation, and then completely erase the whole system and install from scratch. Therefore it is the best idea to shut the server down and boot a live system from which you can clone the entire storage. Later you can then examine that image in a secured and locked down environment (no access to the internet or your business networks, etc).
You should also back up only as much data as necessary, but as few as possible, because every file you copy could potentially be infected. Comparing your current data files with those from older backups (you do have periodic backups, right!?) might help to decide what you need and what is in good shape.
Related questions on other Stack Exchange sites:
- How do I deal with a compromised server?
- How do you explain the necessity of “nuke it from orbit” to management and users?
answered Apr 8 '17 at 16:46
Byte CommanderByte Commander
65.9k27180306
edited Apr 8 '17 at 16:56
answered Apr 8 '17 at 16:46
Byte CommanderByte Commander
65.9k27180306
answered Apr 8 '17 at 16:46
Byte CommanderByte Commander
65.9k27180306
answered Apr 8 '17 at 16:46
Byte CommanderByte Commander
65.9k27180306
65.9k27180306
2
As an IT Security professional, this is the tried and true mechanism for responding to a system breach. Hacked accounts aside, you don't know what they did inside the hacked account, or to the system. The only true way is nuke from orbit.
– Thomas Ward♦
Apr 8 '17 at 16:51
" because every file you copy could potentially be infected. " That is simply not true. Explain please how /var/log/boot.log or how /var/log/auth.log can be infected?!
– Rinzwind
Apr 8 '17 at 17:14
1
@Rinzwind "every file" might be an oversimplification, but there are ways to embed bad stuff into most file types that get read by any application. Log files should be safe because they just get displayed as plain text and not parsed, but what I actually had in mind is more about actual user data, like documents, databases, images, etc
– Byte Commander
Apr 8 '17 at 18:32
add a comment |
2
As an IT Security professional, this is the tried and true mechanism for responding to a system breach. Hacked accounts aside, you don't know what they did inside the hacked account, or to the system. The only true way is nuke from orbit.
– Thomas Ward♦
Apr 8 '17 at 16:51
" because every file you copy could potentially be infected. " That is simply not true. Explain please how /var/log/boot.log or how /var/log/auth.log can be infected?!
– Rinzwind
Apr 8 '17 at 17:14
1
@Rinzwind "every file" might be an oversimplification, but there are ways to embed bad stuff into most file types that get read by any application. Log files should be safe because they just get displayed as plain text and not parsed, but what I actually had in mind is more about actual user data, like documents, databases, images, etc
– Byte Commander
Apr 8 '17 at 18:32
2
2
As an IT Security professional, this is the tried and true mechanism for responding to a system breach. Hacked accounts aside, you don't know what they did inside the hacked account, or to the system. The only true way is nuke from orbit.
– Thomas Ward♦
Apr 8 '17 at 16:51
As an IT Security professional, this is the tried and true mechanism for responding to a system breach. Hacked accounts aside, you don't know what they did inside the hacked account, or to the system. The only true way is nuke from orbit.
– Thomas Ward♦
Apr 8 '17 at 16:51
" because every file you copy could potentially be infected. " That is simply not true. Explain please how /var/log/boot.log or how /var/log/auth.log can be infected?!
– Rinzwind
Apr 8 '17 at 17:14
" because every file you copy could potentially be infected. " That is simply not true. Explain please how /var/log/boot.log or how /var/log/auth.log can be infected?!
– Rinzwind
Apr 8 '17 at 17:14
1
1
@Rinzwind "every file" might be an oversimplification, but there are ways to embed bad stuff into most file types that get read by any application. Log files should be safe because they just get displayed as plain text and not parsed, but what I actually had in mind is more about actual user data, like documents, databases, images, etc
– Byte Commander
Apr 8 '17 at 18:32
@Rinzwind "every file" might be an oversimplification, but there are ways to embed bad stuff into most file types that get read by any application. Log files should be safe because they just get displayed as plain text and not parsed, but what I actually had in mind is more about actual user data, like documents, databases, images, etc
– Byte Commander
Apr 8 '17 at 18:32
add a comment |
- Boot up a live session. Do NOT use the system itself.
- Mount the disks
- Log in to a terminal session and do
sudo -ito get to a prompt
Do a search over / with 1 of the names of those accounts
grep -rnwl '/' -e "{name}"
where {name} is what you want to find.
- r: recursive
- w: match whole word
- l: only show file names
It will take a while depending on the size of the disk so you could start out searching /home/ instead of the whole disk 1st. But I doubt it will be a file in /home/
- while you are at it: change your admin password with
passwd {accountname}.
- Also before you do this you can also check
/etc/profile,/etc/crontab,crontab -lfor weird actions and in your /home the file.bashrcfor any action that should not be there
See if you can find out what is happening so you can take precautions so it can't happen again. It is best to re-install though. Heck it is the only sane option Put your personal files on a USB. Make note of software you installed, make note of router logs, and copy all logs files from /var/log so you can check for intrusions when you got your system clean again.
Carefully restore your files (make sure they are what they should be and do not execute any of them before you are sure).
Another thing to do: create a backup of the sudo file, clean it and use inotify to immediately copy a backup file over the changed one. That will hamper whatever they try to do with your system.
answered Apr 8 '17 at 16:42
RinzwindRinzwind
208k28400532
To the downvoter; please carefully think about why you downvoted. Only a moron would re-install without investigating the issue.
– Rinzwind
Apr 8 '17 at 16:52
After a security breach, the only tried and true approach is nuke-and-restart. That said, a full disk image of the server, where possible, so they can go back later in a non-networked environment and examine what was done on the system is never a bad idea, however they should still nuke and reload. This is the typical approach. (If the owner of the server or system chooses to not go the forensic approach and just nuke and restart, that's their choice, and they'll learn the next time they're breached to start examining how they were breached.)
– Thomas Ward♦
Apr 8 '17 at 16:52
If I were a hacker and had the abilities to get that deep into a system, I doubt I would use a simple cleartext script to recreate my account.
– Byte Commander
Apr 8 '17 at 16:53
@ThomasWard sure But a re-install should not be the 1st action. The 1st action is to investigate. And then re-install. What if this is not an outside but in inside job. a re-install will erase any evidence.
– Rinzwind
Apr 8 '17 at 16:54
1
@Rinzwind Perhaps you and I should continue this discussion in chat - while I agree that the first step is to investigate, that's in the theory. Investigating a hacked server live is an IT Security 'no no'. A forensic copy of the existing system, then nuking the server and getting it back to 'production ready status' then examining after the fact is the actual approach taken to breached systems, in many cases (including forensic investigations by law enforcement in the USA)
– Thomas Ward♦
Apr 8 '17 at 16:59
|
show 3 more comments
- Boot up a live session. Do NOT use the system itself.
- Mount the disks
- Log in to a terminal session and do
sudo -ito get to a prompt
Do a search over / with 1 of the names of those accounts
grep -rnwl '/' -e "{name}"
where {name} is what you want to find.
- r: recursive
- w: match whole word
- l: only show file names
It will take a while depending on the size of the disk so you could start out searching /home/ instead of the whole disk 1st. But I doubt it will be a file in /home/
- while you are at it: change your admin password with
passwd {accountname}.
- Also before you do this you can also check
/etc/profile,/etc/crontab,crontab -lfor weird actions and in your /home the file.bashrcfor any action that should not be there
See if you can find out what is happening so you can take precautions so it can't happen again. It is best to re-install though. Heck it is the only sane option Put your personal files on a USB. Make note of software you installed, make note of router logs, and copy all logs files from /var/log so you can check for intrusions when you got your system clean again.
Carefully restore your files (make sure they are what they should be and do not execute any of them before you are sure).
Another thing to do: create a backup of the sudo file, clean it and use inotify to immediately copy a backup file over the changed one. That will hamper whatever they try to do with your system.
answered Apr 8 '17 at 16:42
RinzwindRinzwind
208k28400532
To the downvoter; please carefully think about why you downvoted. Only a moron would re-install without investigating the issue.
– Rinzwind
Apr 8 '17 at 16:52
After a security breach, the only tried and true approach is nuke-and-restart. That said, a full disk image of the server, where possible, so they can go back later in a non-networked environment and examine what was done on the system is never a bad idea, however they should still nuke and reload. This is the typical approach. (If the owner of the server or system chooses to not go the forensic approach and just nuke and restart, that's their choice, and they'll learn the next time they're breached to start examining how they were breached.)
– Thomas Ward♦
Apr 8 '17 at 16:52
If I were a hacker and had the abilities to get that deep into a system, I doubt I would use a simple cleartext script to recreate my account.
– Byte Commander
Apr 8 '17 at 16:53
@ThomasWard sure But a re-install should not be the 1st action. The 1st action is to investigate. And then re-install. What if this is not an outside but in inside job. a re-install will erase any evidence.
– Rinzwind
Apr 8 '17 at 16:54
1
@Rinzwind Perhaps you and I should continue this discussion in chat - while I agree that the first step is to investigate, that's in the theory. Investigating a hacked server live is an IT Security 'no no'. A forensic copy of the existing system, then nuking the server and getting it back to 'production ready status' then examining after the fact is the actual approach taken to breached systems, in many cases (including forensic investigations by law enforcement in the USA)
– Thomas Ward♦
Apr 8 '17 at 16:59
|
show 3 more comments
- Boot up a live session. Do NOT use the system itself.
- Mount the disks
- Log in to a terminal session and do
sudo -ito get to a prompt
Do a search over / with 1 of the names of those accounts
grep -rnwl '/' -e "{name}"
where {name} is what you want to find.
- r: recursive
- w: match whole word
- l: only show file names
It will take a while depending on the size of the disk so you could start out searching /home/ instead of the whole disk 1st. But I doubt it will be a file in /home/
- while you are at it: change your admin password with
passwd {accountname}.
- Also before you do this you can also check
/etc/profile,/etc/crontab,crontab -lfor weird actions and in your /home the file.bashrcfor any action that should not be there
See if you can find out what is happening so you can take precautions so it can't happen again. It is best to re-install though. Heck it is the only sane option Put your personal files on a USB. Make note of software you installed, make note of router logs, and copy all logs files from /var/log so you can check for intrusions when you got your system clean again.
Carefully restore your files (make sure they are what they should be and do not execute any of them before you are sure).
Another thing to do: create a backup of the sudo file, clean it and use inotify to immediately copy a backup file over the changed one. That will hamper whatever they try to do with your system.
answered Apr 8 '17 at 16:42
RinzwindRinzwind
208k28400532
- Boot up a live session. Do NOT use the system itself.
- Mount the disks
- Log in to a terminal session and do
sudo -ito get to a prompt
Do a search over / with 1 of the names of those accounts
grep -rnwl '/' -e "{name}"
where {name} is what you want to find.
- r: recursive
- w: match whole word
- l: only show file names
It will take a while depending on the size of the disk so you could start out searching /home/ instead of the whole disk 1st. But I doubt it will be a file in /home/
- while you are at it: change your admin password with
passwd {accountname}.
- Also before you do this you can also check
/etc/profile,/etc/crontab,crontab -lfor weird actions and in your /home the file.bashrcfor any action that should not be there
See if you can find out what is happening so you can take precautions so it can't happen again. It is best to re-install though. Heck it is the only sane option Put your personal files on a USB. Make note of software you installed, make note of router logs, and copy all logs files from /var/log so you can check for intrusions when you got your system clean again.
Carefully restore your files (make sure they are what they should be and do not execute any of them before you are sure).
Another thing to do: create a backup of the sudo file, clean it and use inotify to immediately copy a backup file over the changed one. That will hamper whatever they try to do with your system.
answered Apr 8 '17 at 16:42
RinzwindRinzwind
208k28400532
edited Apr 8 '17 at 17:05
answered Apr 8 '17 at 16:42
RinzwindRinzwind
208k28400532
answered Apr 8 '17 at 16:42
RinzwindRinzwind
208k28400532
answered Apr 8 '17 at 16:42
RinzwindRinzwind
208k28400532
208k28400532
To the downvoter; please carefully think about why you downvoted. Only a moron would re-install without investigating the issue.
– Rinzwind
Apr 8 '17 at 16:52
After a security breach, the only tried and true approach is nuke-and-restart. That said, a full disk image of the server, where possible, so they can go back later in a non-networked environment and examine what was done on the system is never a bad idea, however they should still nuke and reload. This is the typical approach. (If the owner of the server or system chooses to not go the forensic approach and just nuke and restart, that's their choice, and they'll learn the next time they're breached to start examining how they were breached.)
– Thomas Ward♦
Apr 8 '17 at 16:52
If I were a hacker and had the abilities to get that deep into a system, I doubt I would use a simple cleartext script to recreate my account.
– Byte Commander
Apr 8 '17 at 16:53
@ThomasWard sure But a re-install should not be the 1st action. The 1st action is to investigate. And then re-install. What if this is not an outside but in inside job. a re-install will erase any evidence.
– Rinzwind
Apr 8 '17 at 16:54
1
@Rinzwind Perhaps you and I should continue this discussion in chat - while I agree that the first step is to investigate, that's in the theory. Investigating a hacked server live is an IT Security 'no no'. A forensic copy of the existing system, then nuking the server and getting it back to 'production ready status' then examining after the fact is the actual approach taken to breached systems, in many cases (including forensic investigations by law enforcement in the USA)
– Thomas Ward♦
Apr 8 '17 at 16:59
|
show 3 more comments
To the downvoter; please carefully think about why you downvoted. Only a moron would re-install without investigating the issue.
– Rinzwind
Apr 8 '17 at 16:52
After a security breach, the only tried and true approach is nuke-and-restart. That said, a full disk image of the server, where possible, so they can go back later in a non-networked environment and examine what was done on the system is never a bad idea, however they should still nuke and reload. This is the typical approach. (If the owner of the server or system chooses to not go the forensic approach and just nuke and restart, that's their choice, and they'll learn the next time they're breached to start examining how they were breached.)
– Thomas Ward♦
Apr 8 '17 at 16:52
If I were a hacker and had the abilities to get that deep into a system, I doubt I would use a simple cleartext script to recreate my account.
– Byte Commander
Apr 8 '17 at 16:53
@ThomasWard sure But a re-install should not be the 1st action. The 1st action is to investigate. And then re-install. What if this is not an outside but in inside job. a re-install will erase any evidence.
– Rinzwind
Apr 8 '17 at 16:54
1
@Rinzwind Perhaps you and I should continue this discussion in chat - while I agree that the first step is to investigate, that's in the theory. Investigating a hacked server live is an IT Security 'no no'. A forensic copy of the existing system, then nuking the server and getting it back to 'production ready status' then examining after the fact is the actual approach taken to breached systems, in many cases (including forensic investigations by law enforcement in the USA)
– Thomas Ward♦
Apr 8 '17 at 16:59
To the downvoter; please carefully think about why you downvoted. Only a moron would re-install without investigating the issue.
– Rinzwind
Apr 8 '17 at 16:52
To the downvoter; please carefully think about why you downvoted. Only a moron would re-install without investigating the issue.
– Rinzwind
Apr 8 '17 at 16:52
After a security breach, the only tried and true approach is nuke-and-restart. That said, a full disk image of the server, where possible, so they can go back later in a non-networked environment and examine what was done on the system is never a bad idea, however they should still nuke and reload. This is the typical approach. (If the owner of the server or system chooses to not go the forensic approach and just nuke and restart, that's their choice, and they'll learn the next time they're breached to start examining how they were breached.)
– Thomas Ward♦
Apr 8 '17 at 16:52
After a security breach, the only tried and true approach is nuke-and-restart. That said, a full disk image of the server, where possible, so they can go back later in a non-networked environment and examine what was done on the system is never a bad idea, however they should still nuke and reload. This is the typical approach. (If the owner of the server or system chooses to not go the forensic approach and just nuke and restart, that's their choice, and they'll learn the next time they're breached to start examining how they were breached.)
– Thomas Ward♦
Apr 8 '17 at 16:52
If I were a hacker and had the abilities to get that deep into a system, I doubt I would use a simple cleartext script to recreate my account.
– Byte Commander
Apr 8 '17 at 16:53
If I were a hacker and had the abilities to get that deep into a system, I doubt I would use a simple cleartext script to recreate my account.
– Byte Commander
Apr 8 '17 at 16:53
@ThomasWard sure But a re-install should not be the 1st action. The 1st action is to investigate. And then re-install. What if this is not an outside but in inside job. a re-install will erase any evidence.
– Rinzwind
Apr 8 '17 at 16:54
@ThomasWard sure But a re-install should not be the 1st action. The 1st action is to investigate. And then re-install. What if this is not an outside but in inside job. a re-install will erase any evidence.
– Rinzwind
Apr 8 '17 at 16:54
1
1
@Rinzwind Perhaps you and I should continue this discussion in chat - while I agree that the first step is to investigate, that's in the theory. Investigating a hacked server live is an IT Security 'no no'. A forensic copy of the existing system, then nuking the server and getting it back to 'production ready status' then examining after the fact is the actual approach taken to breached systems, in many cases (including forensic investigations by law enforcement in the USA)
– Thomas Ward♦
Apr 8 '17 at 16:59
@Rinzwind Perhaps you and I should continue this discussion in chat - while I agree that the first step is to investigate, that's in the theory. Investigating a hacked server live is an IT Security 'no no'. A forensic copy of the existing system, then nuking the server and getting it back to 'production ready status' then examining after the fact is the actual approach taken to breached systems, in many cases (including forensic investigations by law enforcement in the USA)
– Thomas Ward♦
Apr 8 '17 at 16:59
|
show 3 more comments
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f902600%2fhow-to-remove-hacked-account-on-ubuntu-server%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
Remove the OS completely.. If it's hacked, it's hacked, and there's no 100% sure way to fix everything. Just install new server and start over
– Sergiy Kolodyazhnyy
Apr 8 '17 at 16:48
@SergiyKolodyazhnyy I disagree. User wants help IDENTIFYING the problem. Not to ignore it and re-install. The smart thing to do is to learn from this so it wont happen again. A re-install does not teach anything.
– Rinzwind
Apr 8 '17 at 16:50
Thanks for yours comments, I've tried to disable 2 hacked accounts and set fake group for them in visudo so hope this solution able to help my server safe for now. Please give me more any idea else, many thanks.
– user3160078
Apr 8 '17 at 16:54
@user3160078 dont take too long investigating.
– Rinzwind
Apr 8 '17 at 17:02
@Rinzwind I agree with you but I still want to remove them rather than disable, this is just my temp solution for now.
– user3160078
Apr 8 '17 at 17:51