Another interesting hack

I have a spare server as well sitting around and I was surprised to see what i found. I found an extra user in the /etc/passwd file that had shell access (i did not add this person), and they created an account within the plesk setup (/usr/local/psa/home/vhosts/theirfakedomain/)

Inside of course was some warez. I checked the access to the server and they only accessed by ftp and i also found something they created in the cron tab which was /usr/lib/sa which was some sort of encrypted script that appeared to be running every 10 minutes and it was deleting any backups i put on the server and also logged anyone out of SSH at the time of execution. I searched and did scans for root kits and there wasnt any that i could see and from what i could tell, they never got to root access because they never changed passwords or messed with the server except the couple of files i had on there and then of course their uploads.

So, how did they create the user within redhat especially if they never got to root access or did they and they are hiding it?

 

 

 

 

Top