Ubuntu: How to remove hacked account on Ubuntu server



Question:

My server has 2 accounts are hacked and now if I try to removed them by any way, after that 1 min, they will be re-added automatically with the highest permission in

visudo NOPASSWORD=ALL  

So how can I find out the root code do it and remove them forever?


Solution:1

Sorry to say, but The Only Right Wayâ„¢ to go is to nuke the machine from orbit.

If a hacker managed to get that deep into your system, you can never know whether you wiped all traces or whether they've still got another ace up the sleeve with which they can regain access.

You should try to investigate how they hacked the system in first place, so that you can patch that security hole later on your new installation, and then completely erase the whole system and install from scratch. Therefore it is the best idea to shut the server down and boot a live system from which you can clone the entire storage. Later you can then examine that image in a secured and locked down environment (no access to the internet or your business networks, etc).

You should also back up only as much data as necessary, but as few as possible, because every file you copy could potentially be infected. Comparing your current data files with those from older backups (you do have periodic backups, right!?) might help to decide what you need and what is in good shape.

Related questions on other Stack Exchange sites:


Solution:2

  • Boot up a live session. Do NOT use the system itself.
  • Mount the disks
  • Log in to a terminal session and do sudo -i to get to a prompt
  • Do a search over / with 1 of the names of those accounts

    grep -rnwl '/' -e "{name}"  

    where {name} is what you want to find.

    • r: recursive
    • w: match whole word
    • l: only show file names

It will take a while depending on the size of the disk so you could start out searching /home/ instead of the whole disk 1st. But I doubt it will be a file in /home/

  • while you are at it: change your admin password with passwd {accountname}.

  • Also before you do this you can also check /etc/profile, /etc/crontab, crontab -l for weird actions and in your /home the file .bashrc for any action that should not be there

See if you can find out what is happening so you can take precautions so it can't happen again. It is best to re-install though. Heck it is the only sane option Put your personal files on a USB. Make note of software you installed, make note of router logs, and copy all logs files from /var/log so you can check for intrusions when you got your system clean again.

Carefully restore your files (make sure they are what they should be and do not execute any of them before you are sure).


Another thing to do: create a backup of the sudo file, clean it and use inotify to immediately copy a backup file over the changed one. That will hamper whatever they try to do with your system.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »