default users in CentOs 7 ?? (we get 24 in VPS "new" / "clean")

000

• September 30, 2021 11:19

hello, which is the ORIGINAL list of users in CentOs 7 ?? we get 24: you can see we check SIX as malicious users, but may be is five more important: history SHELL for user ROOT = empty, however multiple LOGINS from IPs of ISP how we can DELETE users foreigns? for we change ROOT password not is sufficent. thanks by your help in auditory. we repeat: VPS is 100% "new", logically ISP manipulate VPS before of delivery, how we can check actions ? thanks

• 

  000

  • September 30, 2021 17:58

  oh god... this is TERRIBLE: why this ISP need delete (1, 2) ??? please some other trick for get more malicius actios from over this "CLEAN VPS" ?? also you can see: BEFORE of delivery VPS, ISP execute 14 times /usr/sbin/useradd
  surely create/delete some user multiple times... this is VERY dirty actions...

  0
• 

  cPRex Jurassic Moderator

  • October 01, 2021 13:20

  Hey there! From what you've posted, it sounds like the server has been compromised. Since the history shell for root has already been removed, and the server has been root compromised, there is not a reliable way to get accurate information from the system since it has already been tampered with. The best thing you can do at this point would be to migrate or restore backups to a new server.

  0
• 

  000

  • October 01, 2021 14:46

  Hey there! From what you've posted, it sounds like the server has been compromised. Since the history shell for root has already been removed, and the server has been root compromised, there is not a reliable way to get accurate information from the system since it has already been tampered with. The best thing you can do at this point would be to migrate or restore backups to a new server.

  
  thanks, and know you how many users have a CentOs "CLEAN" ?

  0
• 

  cPRex Jurassic Moderator

  • October 01, 2021 14:51

  Here's what I see on a minimal install of CentOS 7 before cPanel is installed: # cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin chrony:x:998:995::/var/lib/chrony:/sbin/nologin centos:x:1000:1000:centos:/home/centos:/bin/bash
  

  0
• 

  000

  • October 01, 2021 16:09

  Here's what I see on a minimal install of CentOS 7 before cPanel is installed: # cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin chrony:x:998:995::/var/lib/chrony:/sbin/nologin centos:x:1000:1000:centos:/home/centos:/bin/bash
  

  
  oh master I see 24 in your list, however in OTHER ISP, my CentOs return 18: [root@pepsi ~]# cat /etc/passwd | wc -l 18 [root@pepsi ~]#
  and NEVER we get user "centos": [root@pepsi ~]# cat /etc/passwd | cut -d: -f1 | sort adm bin chrony daemon dbus ftp games halt lp mail nobody operator polkitd root shutdown sshd sync systemd-network [root@pepsi ~]#
  in this ISP (not the "spy") we have: [root@pepsi ~]# more /etc/redhat-release CentOS Linux release 7.9.2009 (Core) [root@pepsi ~]#
  what distro you have?, maybe CentOs 8 ?

  0
• 

  cPRex Jurassic Moderator

  • October 01, 2021 16:10

  Each installation can be a bit different. That is one of our internal "minimal" installs, so I'm not sure what your provider has configured.

  0
• 

  000

  • October 01, 2021 21:22

  Each installation can be a bit different. That is one of our internal "minimal" installs, so I'm not sure what your provider has configured.

  
  Many thanks master @cPRex

  0

Please sign in to leave a comment.