user not in passwd launching attacks - Security

This is a discussion on user not in passwd launching attacks - Security ; Hi, I have limited experience with Linux security so I'm hoping someone can help me. We had a complaint that there were attacks being launched from one of our servers (Ubuntu OS). I did a "lsof -i" as root and ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: user not in passwd launching attacks

  1. user not in passwd launching attacks

    Hi, I have limited experience with Linux security so I'm hoping
    someone can help me. We had a complaint that there were attacks being
    launched from one of our servers (Ubuntu OS). I did a "lsof -i" as
    root and sure enough saw pages & pages of processes by this user
    launching attacks. Before killing the processes I tried deleting the
    user but I always got an error saying that he's not in the /etc/passwd
    file (which he is not). Every google search I did said to delete a
    user, delete them from the /etc/passwd file (quite frustrating!). I
    was able to finger this user's account. So my question is, how do I
    delete a user's account if they're not in the passwd file?

    Just FYI I have blocked access to this server via firewall so it will
    no longer be a problem but I'd still like to know how to delete a user
    like this.

  2. Re: user not in passwd launching attacks

    mattdorais@gmail.com wrote:
    > Hi, I have limited experience with Linux security so I'm hoping
    > someone can help me. We had a complaint that there were attacks being
    > launched from one of our servers (Ubuntu OS). I did a "lsof -i" as
    > root and sure enough saw pages & pages of processes by this user
    > launching attacks. Before killing the processes I tried deleting the
    > user but I always got an error saying that he's not in the /etc/passwd
    > file (which he is not). Every google search I did said to delete a
    > user, delete them from the /etc/passwd file (quite frustrating!). I
    > was able to finger this user's account. So my question is, how do I
    > delete a user's account if they're not in the passwd file?
    >
    > Just FYI I have blocked access to this server via firewall so it will
    > no longer be a problem but I'd still like to know how to delete a user
    > like this.


    Accounts can also be defined in NIS and LDAP.
    If you have Linux servers in an enterprise, it's probably wise to get
    someone who isn't a novice to administer security.

  3. Re: user not in passwd launching attacks

    On May 1, 1:21 pm, Allen Kistler wrote:
    > mattdor...@gmail.com wrote:
    > > Hi, I have limited experience with Linux security so I'm hoping
    > > someone can help me. We had a complaint that there were attacks being
    > > launched from one of our servers (Ubuntu OS). I did a "lsof -i" as
    > > root and sure enough saw pages & pages of processes by this user
    > > launching attacks. Before killing the processes I tried deleting the
    > > user but I always got an error saying that he's not in the /etc/passwd
    > > file (which he is not). Every google search I did said to delete a
    > > user, delete them from the /etc/passwd file (quite frustrating!). I
    > > was able to finger this user's account. So my question is, how do I
    > > delete a user's account if they're not in the passwd file?

    >
    > > Just FYI I have blocked access to this server via firewall so it will
    > > no longer be a problem but I'd still like to know how to delete a user
    > > like this.

    >
    > Accounts can also be defined in NIS and LDAP.
    > If you have Linux servers in an enterprise, it's probably wise to get
    > someone who isn't a novice to administer security.


    Yep, turns out the Linux boxes use LDAP so I was able to locate the
    account. I appreciate the help.

  4. Re: user not in passwd launching attacks

    "mattdorais@gmail.com" writes:

    >Hi, I have limited experience with Linux security so I'm hoping
    >someone can help me. We had a complaint that there were attacks being
    >launched from one of our servers (Ubuntu OS). I did a "lsof -i" as
    >root and sure enough saw pages & pages of processes by this user
    >launching attacks. Before killing the processes I tried deleting the
    >user but I always got an error saying that he's not in the /etc/passwd
    >file (which he is not). Every google search I did said to delete a
    >user, delete them from the /etc/passwd file (quite frustrating!). I
    >was able to finger this user's account. So my question is, how do I
    >delete a user's account if they're not in the passwd file?


    >Just FYI I have blocked access to this server via firewall so it will
    >no longer be a problem but I'd still like to know how to delete a user
    >like this.


    Like what? You have not shown us anything. You have made vague statements,
    which are impossible to know what you are talking about.
    What user? What uid? You did you "finger this user's account"? What was the
    result?

    It sounds like you r system is completely owned All of the utilities (ls,
    ps, vi,...) may well be changed.
    It is time to wipe the disk, and reinstall.



  5. Re: user not in passwd launching attacks

    mattdorais@gmail.com wrote:
    > Hi, I have limited experience with Linux security so I'm hoping
    > someone can help me. We had a complaint that there were attacks being
    > launched from one of our servers (Ubuntu OS). I did a "lsof -i" as
    > root and sure enough saw pages & pages of processes by this user
    > launching attacks. Before killing the processes I tried deleting the
    > user but I always got an error saying that he's not in the /etc/passwd
    > file (which he is not). Every google search I did said to delete a
    > user, delete them from the /etc/passwd file (quite frustrating!). I
    > was able to finger this user's account. So my question is, how do I
    > delete a user's account if they're not in the passwd file?
    >
    > Just FYI I have blocked access to this server via firewall so it will
    > no longer be a problem but I'd still like to know how to delete a user
    > like this.


    You need to check policy to see if legal action is a possibility, if so
    you need an expert to work on your system. Otherwise, you can ignore
    the problem and wipe the system. That too requires some expertise
    as there may be boot sector viruses, HPA or DCO hidden disk areas
    (for AT disks anyway), and even flashed BIOS malware. It is
    often better/cheaper to pretend it is time for a hardware refresh
    anyway and scrape the suspect system completely.

    Wiping the system without fixing the security problem that
    led to the attack will leave your hosts vulnerable to another
    attack. If you don't fix the problem re-installing the system
    won't help, you'll be attacked again. If the server didn't
    have logs enabled for you to examine, you may really need to
    hire an expert or your other hosts will be at risk too.

    If you want to investigate on your own (did I mention you should
    probably hire an expert?) then here's some brief advice:

    Most attacks today are done by script-kiddies, who leave
    traces of their activities in the log files and elsewhere.
    Serious attackers won't leave such traces for a novice
    investigator to find, but it can't hurt to look before
    wiping the disk or throwing it out.

    Boot using a CD-ROM live distro and use it's tools to examine
    your password and group files, log files, etc. Check the md5
    sum for commands such as ls, ps, who, etc., with known good
    values from a similar system. Check the reported size of
    the disk and filesystems, and look for gaps or hidden disk
    areas.

    Check the network logs to determine when the attack started,
    and then examine the relevant host log file entries to see
    what happened at that time.

    Use pwck on the suspect password and shadow files. This should
    show any bad entries, however if your system was hacked the
    user name showing in lsof may have been faked.

    Look for weak passwords with some tool such as John the Ripper.

    Try to figure out how the intruder got into your system. Are
    you running insecure versions of software? Do you have
    insecure configurations of servers such as permitting
    unrestricted uploads via FTP, WebDAV, etc.?

    In any case you should keep the network egress packet filters
    in place. Be sure all your hosts have all available security
    patches applied. Turn off un-needed services and disable
    or remove dormant user accounts. Look for cron and at
    jobs that don't belong. Remove un-needed software that could
    aid an attacker, such gcc. Enable available security features
    of your systems.

    Get some books on securing a Linux system, there are many
    (including a few good ones. :-) Make time in your work
    schedule for reading and practicing. And monitoring the
    systems you're responsible for.

    Good luck!

    -Wayne

+ Reply to Thread