check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP

[Windows]

we are in CentOs 7, installation "CLEAN", server 100% "new".

when we search in GOOGLE by command to know
"who create user in CentOs"
we only get commands to get
"date of creation of user"

our problem is provider/ISP give to US a "new server", even command history is empty, however:

https://pasteboard.co/d6KEhfZzDqnl.png

then becouse we are very NEWBIES, we want check WHO create this users ("system CentOs" or "ROOT malicious ISP")

becouse history ROOT is empty, we can't check what commands RUN the ROOT user.

we know we can delete users one by one, exist some command for we DELETE (in only one line) ANY USER no't created by CentOs 7 default ? or some line as: "/commands/root/return_OS_to_original_image" ???



also we discovery more commands in GOOGLE:


https://pasteboard.co/OM5QfrK90rCl.png

all this confirm ISP touch VPS and create malicius users,
true?



thanks

[Windows]

image #2:

https://pasteboard.co/OM5QfrK90rCl.png

( your board not allowme ADD/EDIT POST )

[jlehtone]

1. Copy-paste text from terminal is more efficient than screenshots

2. Packages that provide services usually create account for the service. It is safer to run services (well, everything) with separate account than as root.

3. Automated installation (aka "kickstart") can create accounts. Is there/what is in file /root/anaconda-ks.cfg ?

[TrevorH]

If you do not trust your provider then you should move elsewhere. Even if you sort of who created the whb* users there, they have physical access to the hardware and can therefore do anything they want to it at any time.

[Windows]

Is there/what is in file /root/anaconda-ks.cfg ?

oh is true!, with this ISP we have:

Code: Select all

[root@pepsi ~]# ls /root
anaconda-ks.cfg
[root@pepsi ~]#

with others ISP this file not exists, (also VPS).

Code: Select all

#version=DEVEL
# System authorization information
auth --enableshadow --passalgo=sha512
# Use CDROM installation media
cdrom
# Use graphical install
graphical
# Run the Setup Agent on first boot
firstboot --enable
ignoredisk --only-use=sda
# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'
# System language
lang en_US.UTF-8

# Network information
network  --bootproto=dhcp --device=ens3 --onboot=off --ipv6=auto
network  --hostname=localhost.localdomain

# Root password
rootpw --iscrypted $6$UHMerp719Pqlc3hA$9DNt81n10hNnbcCHGcB8QmfMKGkxpzA6Z/XBfb5eRmS6K0WNiK1Hroa6IkWlZR1KRH1ieXG4S8UpkocB4cBm91
# System timezone
timezone America/New_York --isUtc
# System bootloader configuration
bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=sda
# Partition clearing information
clearpart --none --initlabel
# Disk partitioning information
part / --fstype="xfs" --ondisk=sda --size=15359

%packages
@^minimal
@core
kexec-tools

%end

%addon com_redhat_kdump --enable --reserve-mb='auto'

%end

when REBUILD finish, we have 24 users:

Code: Select all

[root@pepsi ~]# getent passwd | cut -d: -f1 | sort
adm
avahi-autoipd
bin
centos
daemon
dbus
ftp
games
halt
lp
mail
nobody
operator
polkitd
postfix
root
shutdown
sshd
sync
systemd-bus-proxy
systemd-network
tss
whbadmin
whbhelper
[root@pepsi ~]#

also we find this:

Code: Select all

[root@pepsi ~]# aureport

Summary Report
======================
Range of time in logs: 01/21/2016 05:48:14.360 - 10/01/2021 09:28:06.014
Selected time for report: 01/21/2016 05:48:14 - 10/01/2021 09:28:06.014
Number of changes in configuration: 248
Number of changes to accounts, groups, or roles: 32
Number of logins: 62
Number of failed logins: 74
Number of authentications: 74
Number of failed authentications: 146
Number of users: 5
Number of terminals: 12
Number of host names: 24
Number of executables: 16
Number of commands: 8
Number of files: 0
Number of AVC's: 0
Number of MAC events: 1
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 1200
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 508
Number of events: 3046

[root@pepsi ~]#

what you think?

we are paranoic?

or...
why they create user "centos" and whbadmin, whbhelper ?

we also find this:

Code: Select all

[root@pepsi ~]# getent passwd | cut -d : -f 1 | xargs groups | sort
adm : adm
avahi-autoipd : avahi-autoipd
bin : bin
centos : centos adm wheel systemd-journal
daemon : daemon
dbus : dbus
ftp : ftp
games : users
halt : root
lp : lp
mail : mail
nobody : nobody
operator : root
polkitd : polkitd
postfix : postfix mail
root : root
shutdown : root
sshd : sshd
sync : root
systemd-bus-proxy : systemd-bus-proxy
systemd-network : systemd-network
tss : tss
whbadmin : root
whbhelper : root
[root@pepsi ~]#

you can see:

Code: Select all

whbadmin : root
whbhelper : root

!!!

this sound to MALWARE !!!

we are wrong?

[TrevorH]

A 'centos' user is a standard thing on cloud providers who use cloud-init to do the deployment. They disable the root account and you log in as 'centos' and use sudo. That one doesn't look that worrying. You should ask them about the whb* users. If they do not have a convincing answer then, as said before, you should move elsewhere.

[Windows]

...you should move elsewhere

problem is ONLY THEY give licence cPanel by US $10 month.

Master TrevorH we also find:

Code: Select all

[root@pepsi ~]# systemctl status postfix.service
● postfix.service - Postfix Mail Transport Agent
   Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-10-01 08:54:24 EDT; 2h 58min ago
  Process: 1013 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
  Process: 1009 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
  Process: 1006 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)
 Main PID: 1130 (master)
   CGroup: /system.slice/postfix.service
           ├─ 1130 /usr/libexec/postfix/master -w
           ├─ 1132 qmgr -l -t unix -u
           └─11866 pickup -l -t unix -u

Oct 01 08:54:23 cs-centos-7-base-v1.3cow systemd[1]: Starting Postfix Mail Transport Agent...
Oct 01 08:54:24 cs-centos-7-base-v1.3cow postfix/postfix-script[1128]: starting the Postfix mail system
Oct 01 08:54:24 cs-centos-7-base-v1.3cow postfix/master[1130]: daemon started -- version 2.10.1, configuration /etc/postfix
Oct 01 08:54:24 cs-centos-7-base-v1.3cow systemd[1]: Started Postfix Mail Transport Agent.
[root@pepsi ~]#

when we get VPS in ANY OTHER COMPANY, this SMTP not is installed.

Then "my dark mind" say "may be they install a trojan for when you change PASSWORD ROOT, the trojan send email with data to they"...

yes, of course the logic action is go to OTHER provider, but also is important learn and listen yours comments.


Regards

[TrevorH]

Postfix is installed as part of any CentOS system. It's part of the minimal install package set and every one gets it.

[Windows]

thanks master ThrevorH,
in my others ISP:

Code: Select all

[root@pepsi ~]# journalctl -u postfix
-- No entries --
[root@pepsi ~]#

[Windows]

thanks master ThrevorH,
in my others ISP:

Code: Select all

[root@pepsi ~]# journalctl -u postfix
-- No entries --
[root@pepsi ~]#

provider "SPY":

Code: Select all

[root@pepsi ~]# more /etc/redhat-release;journalctl -u postfix
CentOS Linux release 7.5.1804 (Core)
-- Logs begin at Fri 2021-10-01 08:54:18 EDT, end at Fri 2021-10-01 13:18:35 EDT. --
Oct 01 08:54:23 cs-centos-7-base-v1.3cow systemd[1]: Starting Postfix Mail Transport Agent...
Oct 01 08:54:24 cs-centos-7-base-v1.3cow postfix/postfix-script[1128]: starting the Postfix mail system
Oct 01 08:54:24 cs-centos-7-base-v1.3cow postfix/master[1130]: daemon started -- version 2.10.1, configuration /etc/postfix
Oct 01 08:54:24 cs-centos-7-base-v1.3cow systemd[1]: Started Postfix Mail Transport Agent.
[root@pepsi ~]#

OTHERS providers:

Code: Select all

[root@cocacola ~]# more /etc/redhat-release;journalctl -u postfix
CentOS Linux release 7.9.2009 (Core)
-- No entries --
[root@cocacola ~]#