0

After a hack, a dedicated server always return "root" following whoami command. Even after a sudo su myUser > whoami return "root".

myUser exists on the server, because regarding this issue passwd myUser return Changing password for myUser.

Furthermore, when installing package on the server, rights are always set as root:myUser.

What are the paths, that could lead to a whoami always returning 'root' ?

GuillaumeRZ
  • 103
  • 1
  • 4
  • What is myUser's UID? – Oskar Skog May 04 '20 at 17:24
  • The UID of "myUser" is `1000`. I have another user on this server, let's call it "mySecondUser" and UID is `10002`. The UID of "root" is `0`. – GuillaumeRZ May 04 '20 at 17:26
  • 4
    "After a hack" -- do you mean "after a creative workaround" or "after an unauthorized elevated access"? If the former, what changes were made? If the latter, perhaps it's time to burn it down & rebuild? – Jeff Schaller May 04 '20 at 17:39
  • I mean an unauthorized elevated access... The changes made by the author are totaly unknow. However, our server serve lots of things, that are actually impossible (task force velocity) to migrate to cloud solutions or another dedicated server. That's why I'm trying to see the differents paths that could lead to my issue... – GuillaumeRZ May 04 '20 at 17:41
  • 1
    I feel compelled, anyway, to point you to this SF Q/A: https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server – A.B May 04 '20 at 17:51

1 Answers1

2

The reason might be that the whoami binary was setuid root. You can check it with stat $(which whoami). On my system it looks like this:

  File: /usr/bin/whoami
  Size: 30904           Blocks: 64         IO Block: 4096   regular file
Device: 1bh/27d Inode: 13918180    Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)

If it has setuid enabled it looks like this:

  File: /usr/bin/whoami
  Size: 30904           Blocks: 64         IO Block: 4096   regular file
Device: 1bh/27d Inode: 13918180    Links: 1
Access: (6755/-rwsr-sr-x)  Uid: (    0/    root)   Gid: (    0/    root)

The effect of this bit is that the binary is being run as its owner - and not as the user who starts it.

You can disable this setting by running sudo chmod -s $(which whoami).

(But yeah, as many people already wrote in the comments, you probably should reinstall the machine completely.)

YtvwlD
  • 371
  • 3
  • 10
  • I think you get it right. I got `Change: 2020-03-05 18:07:25.500937072 +0100` that is not from us. Access is as follow : `Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)`. After `sudo chmod -s $(which whoami)`, I got : `Access: (0755/-rwxr-xr-x)`. And the `whoami` resolve `myUser`. THANK YOU. – GuillaumeRZ May 04 '20 at 19:02
  • I think that that should not be a parenthetical at the end. It should be the very first point in the answer. The questioner's problems are far from over, and focussing on fixing the superficial output of `whoami` when someone has gone around modifying system binaries with superuser access is focussing upon the wrong thing. – JdeBP May 04 '20 at 23:49
  • Yes, of course.. But in order to analyze some things, this is a required step. Thank you for your help guys ! :) – GuillaumeRZ May 05 '20 at 07:04