check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP
check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP
we are in CentOs 7, installation "CLEAN", server 100% "new".
when we search in GOOGLE by command to know
"who create user in CentOs"
we only get commands to get
"date of creation of user"
our problem is provider/ISP give to US a "new server", even command history is empty, however:
https://pasteboard.co/d6KEhfZzDqnl.png
then becouse we are very NEWBIES, we want check WHO create this users ("system CentOs" or "ROOT malicious ISP")
becouse history ROOT is empty, we can't check what commands RUN the ROOT user.
we know we can delete users one by one, exist some command for we DELETE (in only one line) ANY USER no't created by CentOs 7 default ? or some line as: "/commands/root/return_OS_to_original_image" ???
also we discovery more commands in GOOGLE:
https://pasteboard.co/OM5QfrK90rCl.png
all this confirm ISP touch VPS and create malicius users,
true?
thanks
when we search in GOOGLE by command to know
"who create user in CentOs"
we only get commands to get
"date of creation of user"
our problem is provider/ISP give to US a "new server", even command history is empty, however:
https://pasteboard.co/d6KEhfZzDqnl.png
then becouse we are very NEWBIES, we want check WHO create this users ("system CentOs" or "ROOT malicious ISP")
becouse history ROOT is empty, we can't check what commands RUN the ROOT user.
we know we can delete users one by one, exist some command for we DELETE (in only one line) ANY USER no't created by CentOs 7 default ? or some line as: "/commands/root/return_OS_to_original_image" ???
also we discovery more commands in GOOGLE:
https://pasteboard.co/OM5QfrK90rCl.png
all this confirm ISP touch VPS and create malicius users,
true?
thanks
Last edited by Windows on 2021/10/01 01:53:50, edited 1 time in total.
Re: check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP
1. Copy-paste text from terminal is more efficient than screenshots
2. Packages that provide services usually create account for the service. It is safer to run services (well, everything) with separate account than as root.
3. Automated installation (aka "kickstart") can create accounts. Is there/what is in file /root/anaconda-ks.cfg ?
2. Packages that provide services usually create account for the service. It is safer to run services (well, everything) with separate account than as root.
3. Automated installation (aka "kickstart") can create accounts. Is there/what is in file /root/anaconda-ks.cfg ?
Re: check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP
If you do not trust your provider then you should move elsewhere. Even if you sort of who created the whb* users there, they have physical access to the hardware and can therefore do anything they want to it at any time.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP
oh is true!, with this ISP we have:
Code: Select all
[root@pepsi ~]# ls /root
anaconda-ks.cfg
[root@pepsi ~]#
Code: Select all
#version=DEVEL
# System authorization information
auth --enableshadow --passalgo=sha512
# Use CDROM installation media
cdrom
# Use graphical install
graphical
# Run the Setup Agent on first boot
firstboot --enable
ignoredisk --only-use=sda
# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'
# System language
lang en_US.UTF-8
# Network information
network --bootproto=dhcp --device=ens3 --onboot=off --ipv6=auto
network --hostname=localhost.localdomain
# Root password
rootpw --iscrypted $6$UHMerp719Pqlc3hA$9DNt81n10hNnbcCHGcB8QmfMKGkxpzA6Z/XBfb5eRmS6K0WNiK1Hroa6IkWlZR1KRH1ieXG4S8UpkocB4cBm91
# System timezone
timezone America/New_York --isUtc
# System bootloader configuration
bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=sda
# Partition clearing information
clearpart --none --initlabel
# Disk partitioning information
part / --fstype="xfs" --ondisk=sda --size=15359
%packages
@^minimal
@core
kexec-tools
%end
%addon com_redhat_kdump --enable --reserve-mb='auto'
%end
Code: Select all
[root@pepsi ~]# getent passwd | cut -d: -f1 | sort
adm
avahi-autoipd
bin
centos
daemon
dbus
ftp
games
halt
lp
mail
nobody
operator
polkitd
postfix
root
shutdown
sshd
sync
systemd-bus-proxy
systemd-network
tss
whbadmin
whbhelper
[root@pepsi ~]#
Code: Select all
[root@pepsi ~]# aureport
Summary Report
======================
Range of time in logs: 01/21/2016 05:48:14.360 - 10/01/2021 09:28:06.014
Selected time for report: 01/21/2016 05:48:14 - 10/01/2021 09:28:06.014
Number of changes in configuration: 248
Number of changes to accounts, groups, or roles: 32
Number of logins: 62
Number of failed logins: 74
Number of authentications: 74
Number of failed authentications: 146
Number of users: 5
Number of terminals: 12
Number of host names: 24
Number of executables: 16
Number of commands: 8
Number of files: 0
Number of AVC's: 0
Number of MAC events: 1
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 1200
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 508
Number of events: 3046
[root@pepsi ~]#
we are paranoic?
or...
why they create user "centos" and whbadmin, whbhelper ?
we also find this:
Code: Select all
[root@pepsi ~]# getent passwd | cut -d : -f 1 | xargs groups | sort
adm : adm
avahi-autoipd : avahi-autoipd
bin : bin
centos : centos adm wheel systemd-journal
daemon : daemon
dbus : dbus
ftp : ftp
games : users
halt : root
lp : lp
mail : mail
nobody : nobody
operator : root
polkitd : polkitd
postfix : postfix mail
root : root
shutdown : root
sshd : sshd
sync : root
systemd-bus-proxy : systemd-bus-proxy
systemd-network : systemd-network
tss : tss
whbadmin : root
whbhelper : root
[root@pepsi ~]#
Code: Select all
whbadmin : root
whbhelper : root
this sound to MALWARE !!!
we are wrong?
Re: check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP
A 'centos' user is a standard thing on cloud providers who use cloud-init to do the deployment. They disable the root account and you log in as 'centos' and use sudo. That one doesn't look that worrying. You should ask them about the whb* users. If they do not have a convincing answer then, as said before, you should move elsewhere.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP
problem is ONLY THEY give licence cPanel by US $10 month.
Master TrevorH we also find:
Code: Select all
[root@pepsi ~]# systemctl status postfix.service
● postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2021-10-01 08:54:24 EDT; 2h 58min ago
Process: 1013 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
Process: 1009 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
Process: 1006 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)
Main PID: 1130 (master)
CGroup: /system.slice/postfix.service
├─ 1130 /usr/libexec/postfix/master -w
├─ 1132 qmgr -l -t unix -u
└─11866 pickup -l -t unix -u
Oct 01 08:54:23 cs-centos-7-base-v1.3cow systemd[1]: Starting Postfix Mail Transport Agent...
Oct 01 08:54:24 cs-centos-7-base-v1.3cow postfix/postfix-script[1128]: starting the Postfix mail system
Oct 01 08:54:24 cs-centos-7-base-v1.3cow postfix/master[1130]: daemon started -- version 2.10.1, configuration /etc/postfix
Oct 01 08:54:24 cs-centos-7-base-v1.3cow systemd[1]: Started Postfix Mail Transport Agent.
[root@pepsi ~]#
Then "my dark mind" say "may be they install a trojan for when you change PASSWORD ROOT, the trojan send email with data to they"...
yes, of course the logic action is go to OTHER provider, but also is important learn and listen yours comments.
Regards
Re: check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP
Postfix is installed as part of any CentOS system. It's part of the minimal install package set and every one gets it.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP
thanks master ThrevorH,
in my others ISP:
in my others ISP:
Code: Select all
[root@pepsi ~]# journalctl -u postfix
-- No entries --
[root@pepsi ~]#
Re: check WHO create X user in CentOs (maybe root, sys, admin, etc) - malicious ISP
provider "SPY":Windows wrote: ↑2021/10/01 16:57:37thanks master ThrevorH,
in my others ISP:Code: Select all
[root@pepsi ~]# journalctl -u postfix -- No entries -- [root@pepsi ~]#
Code: Select all
[root@pepsi ~]# more /etc/redhat-release;journalctl -u postfix
CentOS Linux release 7.5.1804 (Core)
-- Logs begin at Fri 2021-10-01 08:54:18 EDT, end at Fri 2021-10-01 13:18:35 EDT. --
Oct 01 08:54:23 cs-centos-7-base-v1.3cow systemd[1]: Starting Postfix Mail Transport Agent...
Oct 01 08:54:24 cs-centos-7-base-v1.3cow postfix/postfix-script[1128]: starting the Postfix mail system
Oct 01 08:54:24 cs-centos-7-base-v1.3cow postfix/master[1130]: daemon started -- version 2.10.1, configuration /etc/postfix
Oct 01 08:54:24 cs-centos-7-base-v1.3cow systemd[1]: Started Postfix Mail Transport Agent.
[root@pepsi ~]#
Code: Select all
[root@cocacola ~]# more /etc/redhat-release;journalctl -u postfix
CentOS Linux release 7.9.2009 (Core)
-- No entries --
[root@cocacola ~]#