Possibly infected passwd file?

br5dy · Post by **br5dy** » Wed Apr 11, 2018 12:49 pm

Can someone please post an ORIGINAL /etc/passwd file that VestaCP installer sets up? After this recent infection, I'm seeing some new users that look suspicious. Thanks!

Here's what my file looks like. Anything look suspicious??? I've obfuscated known users.

yoko eagle · Post by **yoko eagle** » Wed Apr 11, 2018 2:47 pm

br5dy wrote: ↑
Wed Apr 11, 2018 12:49 pm
Can someone please post an ORIGINAL /etc/passwd file that VestaCP installer sets up? After this recent infection, I'm seeing some new users that look suspicious. Thanks!

Here's what my file looks like. Anything look suspicious??? I've obfuscated known users.

You can do fresh install yourself and then compare the files.
I think no one will post their password file here.

br5dy · Post by **br5dy** » Wed Apr 11, 2018 4:44 pm

Okay, FYI, anybody else noticed RSYSLOG being installed or is this part of VestaCP?

I went ahead and disabled it using these instructions. Not sure if this is a third party service that uses this or if the trojan was sending syslog data to a remote server....

Post by **skamasle** » Wed Apr 11, 2018 5:39 pm

Why you think is infected ?

If you have all in false or no-login shell no access from ssh can be made from that users

Vesta Control Panel - Forum