user not in passwd launching attacks

Hi, I have limited experience with Linux security so I'm hoping
someone can help me. We had a complaint that there were attacks being
launched from one of our servers (Ubuntu OS). I did a "lsof -i" as
root and sure enough saw pages & pages of processes by this user
launching attacks. Before killing the processes I tried deleting the
user but I always got an error saying that he's not in the /etc/passwd
file (which he is not). Every google search I did said to delete a
user, delete them from the /etc/passwd file (quite frustrating!). I
was able to finger this user's account. So my question is, how do I
delete a user's account if they're not in the passwd file?

Just FYI I have blocked access to this server via firewall so it will
no longer be a problem but I'd still like to know how to delete a user
like this.

mattdorais@gmail.com wrote:
> Hi, I have limited experience with Linux security so I'm hoping
> someone can help me. We had a complaint that there were attacks being
> launched from one of our servers (Ubuntu OS). I did a "lsof -i" as
> root and sure enough saw pages & pages of processes by this user
> launching attacks. Before killing the processes I tried deleting the
> user but I always got an error saying that he's not in the /etc/passwd
> file (which he is not). Every google search I did said to delete a
> user, delete them from the /etc/passwd file (quite frustrating!). I
> was able to finger this user's account. So my question is, how do I
> delete a user's account if they're not in the passwd file?
>
> Just FYI I have blocked access to this server via firewall so it will
> no longer be a problem but I'd still like to know how to delete a user
> like this.

Accounts can also be defined in NIS and LDAP.
If you have Linux servers in an enterprise, it's probably wise to get
someone who isn't a novice to administer security.

On May 1, 1:21 pm, Allen Kistler <ackist...@oohay.moc> wrote:
> mattdor...@gmail.com wrote:
> > Hi, I have limited experience with Linux security so I'm hoping
> > someone can help me. We had a complaint that there were attacks being
> > launched from one of our servers (Ubuntu OS). I did a "lsof -i" as
> > root and sure enough saw pages & pages of processes by this user
> > launching attacks. Before killing the processes I tried deleting the
> > user but I always got an error saying that he's not in the /etc/passwd
> > file (which he is not). Every google search I did said to delete a
> > user, delete them from the /etc/passwd file (quite frustrating!). I
> > was able to finger this user's account. So my question is, how do I
> > delete a user's account if they're not in the passwd file?
>
> > Just FYI I have blocked access to this server via firewall so it will
> > no longer be a problem but I'd still like to know how to delete a user
> > like this.
>
> Accounts can also be defined in NIS and LDAP.
> If you have Linux servers in an enterprise, it's probably wise to get
> someone who isn't a novice to administer security.

Yep, turns out the Linux boxes use LDAP so I was able to locate the
account. I appreciate the help.

"mattdorais@gmail.com" <mattdorais@gmail.com> writes:

>Hi, I have limited experience with Linux security so I'm hoping
>someone can help me. We had a complaint that there were attacks being
>launched from one of our servers (Ubuntu OS). I did a "lsof -i" as
>root and sure enough saw pages & pages of processes by this user
>launching attacks. Before killing the processes I tried deleting the
>user but I always got an error saying that he's not in the /etc/passwd
>file (which he is not). Every google search I did said to delete a
>user, delete them from the /etc/passwd file (quite frustrating!). I
>was able to finger this user's account. So my question is, how do I
>delete a user's account if they're not in the passwd file?

>Just FYI I have blocked access to this server via firewall so it will
>no longer be a problem but I'd still like to know how to delete a user
>like this.

Like what? You have not shown us anything. You have made vague statements,
which are impossible to know what you are talking about.
What user? What uid? You did you "finger this user's account"? What was the
result?

It sounds like you r system is completely owned All of the utilities (ls,
ps, vi,...) may well be changed.
It is time to wipe the disk, and reinstall.

mattdorais@gmail.com wrote:
> Hi, I have limited experience with Linux security so I'm hoping
> someone can help me. We had a complaint that there were attacks being
> launched from one of our servers (Ubuntu OS). I did a "lsof -i" as
> root and sure enough saw pages & pages of processes by this user
> launching attacks. Before killing the processes I tried deleting the
> user but I always got an error saying that he's not in the /etc/passwd
> file (which he is not). Every google search I did said to delete a
> user, delete them from the /etc/passwd file (quite frustrating!). I
> was able to finger this user's account. So my question is, how do I
> delete a user's account if they're not in the passwd file?
>
> Just FYI I have blocked access to this server via firewall so it will
> no longer be a problem but I'd still like to know how to delete a user
> like this.

You need to check policy to see if legal action is a possibility, if so
you need an expert to work on your system. Otherwise, you can ignore
the problem and wipe the system. That too requires some expertise
as there may be boot sector viruses, HPA or DCO hidden disk areas
(for AT disks anyway), and even flashed BIOS malware. It is
often better/cheaper to pretend it is time for a hardware refresh
anyway and scrape the suspect system completely.

Wiping the system without fixing the security problem that
led to the attack will leave your hosts vulnerable to another
attack. If you don't fix the problem re-installing the system
won't help, you'll be attacked again. If the server didn't
have logs enabled for you to examine, you may really need to
hire an expert or your other hosts will be at risk too.

If you want to investigate on your own (did I mention you should
probably hire an expert?) then here's some brief advice:

Most attacks today are done by script-kiddies, who leave
traces of their activities in the log files and elsewhere.
Serious attackers won't leave such traces for a novice
investigator to find, but it can't hurt to look before
wiping the disk or throwing it out.

Boot using a CD-ROM live distro and use it's tools to examine
your password and group files, log files, etc. Check the md5
sum for commands such as ls, ps, who, etc., with known good
values from a similar system. Check the reported size of
the disk and filesystems, and look for gaps or hidden disk
areas.

Check the network logs to determine when the attack started,
and then examine the relevant host log file entries to see
what happened at that time.

Use pwck on the suspect password and shadow files. This should
show any bad entries, however if your system was hacked the
user name showing in lsof may have been faked.

Look for weak passwords with some tool such as John the Ripper.

Try to figure out how the intruder got into your system. Are
you running insecure versions of software? Do you have
insecure configurations of servers such as permitting
unrestricted uploads via FTP, WebDAV, etc.?

In any case you should keep the network egress packet filters
in place. Be sure all your hosts have all available security
patches applied. Turn off un-needed services and disable
or remove dormant user accounts. Look for cron and at
jobs that don't belong. Remove un-needed software that could
aid an attacker, such gcc. Enable available security features
of your systems.

Get some books on securing a Linux system, there are many
(including a few good ones. :-) Make time in your work
schedule for reading and practicing. And monitoring the
systems you're responsible for.

Good luck!

-Wayne