4

My server has 2 accounts are hacked and now if I try to removed them by any way, after that 1 min, they will be re-added automatically with the highest permission in 

visudo NOPASSWORD=ALL

So how can I find out the root code do it and remove them forever?

wittich
  • 1,174
  • 13
  • 25
user3160078
  • 41
  • 1
  • 2
    Remove the OS completely.. If it's hacked, it's hacked, and there's no 100% sure way to fix everything. Just install new server and start over – Sergiy Kolodyazhnyy Apr 08 '17 at 16:48
  • @SergiyKolodyazhnyy I disagree. User wants help IDENTIFYING the problem. Not to ignore it and re-install. The smart thing to do is to learn from this so it wont happen again. A re-install does not teach anything. – Rinzwind Apr 08 '17 at 16:50
  • Thanks for yours comments, I've tried to disable 2 hacked accounts and set fake group for them in visudo so hope this solution able to help my server safe for now. Please give me more any idea else, many thanks. – user3160078 Apr 08 '17 at 16:54
  • @user3160078 dont take too long investigating. – Rinzwind Apr 08 '17 at 17:02
  • @Rinzwind I agree with you but I still want to remove them rather than disable, this is just my temp solution for now. – user3160078 Apr 08 '17 at 17:51
  • First check your traffic and block all open ports and connections (just not yourself!)... Use **[iptables](https://help.ubuntu.com/community/IptablesHowTo)** to do so... – wittich Apr 08 '17 at 20:38

1 Answers1

1

Sorry to say, but The Only Right Way™ to go is to nuke the machine from orbit.

If a hacker managed to get that deep into your system, you can never know whether you wiped all traces or whether they've still got another ace up the sleeve with which they can regain access.

You should try to investigate how they hacked the system in first place, so that you can patch that security hole later on your new installation, and then completely erase the whole system and install from scratch. Therefore it is the best idea to shut the server down and boot a live system from which you can clone the entire storage. Later you can then examine that image in a secured and locked down environment (no access to the internet or your business networks, etc).

You should also back up only as much data as necessary, but as few as possible, because every file you copy could potentially be infected. Comparing your current data files with those from older backups (you do have periodic backups, right!?) might help to decide what you need and what is in good shape.

Related questions on other Stack Exchange sites:

Byte Commander
  • 105,631
  • 46
  • 284
  • 425
  • 2
    As an IT Security professional, this is the tried and true mechanism for responding to a system breach. Hacked accounts aside, you don't know what they did *inside* the hacked account, or to the system. The only true way is nuke from orbit. – Thomas Ward Apr 08 '17 at 16:51
  • " because every file you copy could potentially be infected. " That is simply not true. Explain please how /var/log/boot.log or how /var/log/auth.log can be infected?! – Rinzwind Apr 08 '17 at 17:14
  • 1
    @Rinzwind "every file" might be an oversimplification, but there are ways to embed bad stuff into most file types that get read by any application. Log files should be safe because they just get displayed as plain text and not parsed, but what I actually had in mind is more about actual user data, like documents, databases, images, etc – Byte Commander Apr 08 '17 at 18:32