I have a server that I am the Admin of, and I noticed a user had been added to the system that I did not create. I am the only one who adds or removes users. To me this is a good indication that the security of the system has been compromised. I don't know of any thing that you could install that would create a user on your system with root privileges. Am I right to feel like this system has been broken in to?

This was added to my /etc/passwd file

sor:x:0:0:root:/root:/bin/bash

I'm am a newbie when it comes to linux security. I believe I need to look through the system logs to look for anything suspicious. Where do I go from there to find out if my system is being broken into.

Thankyou.

on the cmd line type tail -f /var/log/messages |grep "insert criteria here". That should give you some info that you could use. I would grep for "sor" or something like that. Good luck.

Also, I am curious as to how/why your a sys admin and still be a "newbie" at basic security. I'm not rying to be a dick or anything, just curious.

That's a suspicious looking passwd entry. I'm basing all of the following on the assumption that the sor account shouldn't be there...

Have you removed the sor entry from /etc/passwd and changed the root account's password? I'd also take the box off the network and backup all of the data on it. Try running ps auxfww (or your favourite ps command) and look for suspicious processes.

The person who created the account may not have covered their tracks. Have a look in /var/log/secure for entries about adding the user account. If you can get the date/time the account was created, it cuts down on the volume of checking you have to do. Look through your logs for emails sent by the account, for logins by the account and then search the hard disk for files created since that date. From memory, something like the following will return all files created in the last 2 days by the user with userid 0. Note that your root account also has a userid of 0, so be prepared for some false positives:
Check all of the files the /root directory. You can use ls -AlR to show them and make sure you know what every one of them is there for.

I'm sure other people here will have more suggestions based on their experiences with this situation.

Don't delete anything until you've tried everything you can think of to identify what has happened. After you've done that, take an image of the box in case you need something from it later.

When you decide to rebuild the box, do it disconnected from the network. Get some info on securing your box, read it, discuss it with people, come up with a plan and secure the box.

Like I said earlier, I'm only assuming there's a problem - I don't mind being called a pessimist though...

Check /root/.bash_history too.

I suggest you chmod all the files you're going to check and read them with a non-root account. Don't run any suspicious executables you see. Use "strings" on them. Run "netstat -tanup" to check if you have a network backdoor currently running. Track down the vulnerability that the cracker exploited and it'd be best to reinstall.

Well, the guy who usually takes care of most of our linux server stuff is no longer with our company, and so the responsiblity is mine. And I'm just trying to do what I can, and I don't mind being put into a position to where I need to learn something new to get the job done.

I have removed the account and changed the root password, and I am looking into the other things.

Thanks for the suggestions everyone.

I would like to invite anyone and anyone who participated in answering this thread to please have a look at how we at LQ have tried to guide members through recovery/analysis/forensics in the past. If you search for and read a few major threads about compromises I hope you can see there's some basic procedures to go through. While procedures are often viewed as something of a bore they do allow you to focus on what's necessary, in what order and with what possible risks/results. Trying to handle a (suspected) compromise any other way is your own personal choice but will be less efficient, may introduce risks and generally be more errorprone or even counterproductive, and I would really like to see you handle those cases well.

If you are interested in handling basic recovery/analysis/forensics issues there's some basic docs in the LQ FAQ: Security references under Compromise, breach of security, detection. If you would like to practice or just read more, I'd recommend the Scan of the Month (SOM) sessions at www.honeynet.org.

Thankyou, Definitly the most helpful of repsonses. I will be checking out those links later today.

Well there you go. Did he leave on bad terms or on good terms? That would be the first place to look, IMHO.