Page 1 of 1
Possibly infected passwd file?
Posted: Wed Apr 11, 2018 12:49 pm
by br5dy
Can someone please post an ORIGINAL
/etc/passwd file that VestaCP installer sets up? After this recent infection, I'm seeing some new users that look suspicious. Thanks!
Here's what my file looks like. Anything look suspicious??? I've obfuscated known users.
Re: Possibly infected passwd file?
Posted: Wed Apr 11, 2018 2:47 pm
by yoko eagle
br5dy wrote: ↑Wed Apr 11, 2018 12:49 pm
Can someone please post an ORIGINAL
/etc/passwd file that VestaCP installer sets up? After this recent infection, I'm seeing some new users that look suspicious. Thanks!
Here's what my file looks like. Anything look suspicious??? I've obfuscated known users.
You can do fresh install yourself and then compare the files.
I think no one will post their password file here.
Re: Possibly infected passwd file?
Posted: Wed Apr 11, 2018 4:44 pm
by br5dy
Okay, FYI, anybody else noticed RSYSLOG being installed or is this part of VestaCP?
I went ahead and disabled it using
these instructions. Not sure if this is a third party service that uses this or if the trojan was sending syslog data to a remote server....
Re: Possibly infected passwd file?
Posted: Wed Apr 11, 2018 5:39 pm
by skamasle
Why you think is infected ?
If you have all in false or no-login shell no access from ssh can be made from that users