LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-22-2004, 08:38 AM   #1
cosmic_user
LQ Newbie
 
Registered: Nov 2004
Posts: 1

Rep: Reputation: 0
Is an invisible user possible?


Hi,


I just got Suse installed a few weeks ago, and don't have much idea as to how to handle it. My computer is new ,and a guy from school was supposedly helping me fix a problem. He made me log into linux, write my root pass and created an account for himself (I think he gave himself root privileges)

Later i tried to delete it (using a command i found on the built-in manuals), but it told me it was impossible. One night, my computer suddenly got turned off (by a remote admin, as it informed me)

After that i could no longer see his account, so I thouhgt he (or I ,after i rebooted) had deleted it. However, today I tried to turn off my computer, and it told me i should not since someone else was also logged in.

I used to have a virus, but I think I got rid of it (using F-prot antivirus, now it tells me i am virus-free)

I asked a friend to have a look and he told me it looks to him that there is only one root password for my linux. However, he might be wrong. My question is: is it possible that there is an account left that is invisible?


The guy I suspect works in the IT department of my university, and has all my MAC's and whatever other numbers there is to have.

Oh one more thing: all this trouble happened while i was in windows, but I thought, since you can access windows from linux with no probs, it is the same as happening in linux.

So what do you think? Is it a virus or he is realy messing up with my computer, and what can I do about it?



Thanks,


linux user in distress
 
Old 11-22-2004, 08:47 AM   #2
rjlee
Senior Member
 
Registered: Jul 2004
Distribution: Ubuntu 7.04
Posts: 1,991

Rep: Reputation: 76
You cannot have two root users, although there are various packages that will allow you to elevate the permissions of one user in key areas.

A virus is very unlikely, but it does sound like someone has installed a root kit on your system. You migh want to try a root-kit checker: http://www.chkrootkit.org/

Also, make sure the firewall is set up and running, and install any available updates from YOU.
 
Old 11-22-2004, 12:24 PM   #3
marghorp
Senior Member
 
Registered: Jan 2004
Location: Slovenia
Distribution: Slackware 10.1, SLAX to the MAX :)
Posts: 1,040

Rep: Reputation: 45
Accessing Linux filesystem from Windows is not possible without the proper drivers. So if you don't have such installed in Windows, the access to linux filesystem is not possible.
 
Old 11-22-2004, 06:03 PM   #4
hostprotect
Member
 
Registered: Nov 2004
Posts: 56

Rep: Reputation: 15
it is possible to have an invisidle "root" user via vicious linux kernel modules.

ie suckit.
 
Old 11-22-2004, 06:25 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally posted by hostprotect
it is possible to have an invisidle "root" user via vicious linux kernel modules.

ie suckit.
Not to knitpick, but suckit is actually a /dev/kmem rootkit rather than an lkm (loadable kernel module) rootkit (see phrack 58 for the details).
 
Old 11-22-2004, 07:03 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
@cosmic_user
You should never give your root password to someone you do not absolutely trust, in fact you shouldn't give it out to anyone at all. If you have given them root access and have reason to believe they may accessing your sysem without authorization, then you really have no option but to format the system and re-install from scratch. Someone with root access can install rootkits, hidden-backdoors, trojan commands, etc that can be extremely difficult to detect and remove. So you can never really be 100% sure that your system is secure. Plus any actions they perform using your system could be blamed on you unless you can prove otherwise.
 
Old 11-23-2004, 04:13 PM   #7
hostprotect
Member
 
Registered: Nov 2004
Posts: 56

Rep: Reputation: 15
Quote:
Originally posted by Capt_Caveman
Not to knitpick, but suckit is actually a /dev/kmem rootkit rather than an lkm (loadable kernel module) rootkit (see phrack 58 for the details).
oh yea, my bad. I'm thinking of KIS.


/me gives my head a shake
 
Old 11-26-2004, 01:02 PM   #8
lnxconvrt
Member
 
Registered: Mar 2002
Location: Houston
Distribution: FC3, Manrake 10.x, various others at times
Posts: 113

Rep: Reputation: 18
Re: Is an invisible user possible?

Quote:
Originally posted by cosmic_user
Later i tried to delete it (using a command i found on the built-in manuals), but it told me it was impossible.
I assume you tried "userdel" as root? That command should work unless, possibly, the user was currently logged in.
Quote:
One night, my computer suddenly got turned off (by a remote admin, as it informed me)
This was when booted into Linux? I ask because this later comment makes it a bit unclear:
Quote:
all this trouble happened while i was in windows
...but I suppose that you refer to the virus issue.
Quote:
After that i could no longer see his account, so I thouhgt he (or I ,after i rebooted) had deleted it.
Sounds to me like he installed a root kit, as suggested by others. If so, the new kernel would take effect after rebooting.
Quote:
However, today I tried to turn off my computer, and it told me i should not since someone else was also logged in.
I'm not an expert, but if you could not detect anyone with "who" or other user processes with "ps -e" it really sounds like you've been rooted.
Quote:
is it possible that there is an account left that is invisible?
As others have noted, given a root kit, yes.
BTW, even if you changed root passwords, the bad guy might have had root even before installation of a root kit. If he changed his uid to 0 that would give him root. That's one simple way. Try
$ grep 'x:0:' /etc/passwd
root:x:0:0:root:/root:/bin/bash

If you see more than 1 entry with a "0" right after the "x: " then you'd better be concerned.
Quote:
...what can I do about it?
Get any data that you don't want to lose off of your box, blow away the Linux partition and reinstall. The consensus of people who know more about this stuff than I do seems to be that if you've been owned that's the only way to make sure to get rid of the bad guy.

Sorry.

Then read all that you can in this forum, set things up securely, etc. Turn off any service that listens for network connections that you don't need, lock things down, etc. Although probably this guy's not that smart, just took advantage of your openness.

One more thought:
Quote:
The guy I suspect works in the IT department of my university, and has all my MAC's and whatever other numbers there is to have.
I'd be tempted to log connection attempts (might be on an odd port) and see if I could trace his ip address...might be possible to trace it back to him. Probably difficult and maybe cause you more trouble than it's worth, though.

Good luck.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
invisible user on yahoo ?? rextor Linux - General 11 08-01-2005 10:25 AM
gaim invisible to single user (msn) dubya Linux - Software 1 12-09-2004 08:54 PM
Invisible Directory 900i Mandriva 6 12-09-2004 03:26 PM
My Invisible Modem moonjasmine Linux - Newbie 2 05-11-2004 06:58 PM
invisible directory prowlerxpla Linux - Software 1 09-11-2003 09:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration