strange situation -possible rootkit !?

A

akadi81

Verified User
Joined
Feb 26, 2015
Messages
63
Hello,

I am using directadmin for many years and right now I have no clue what is going on.

Centos 7 eol, DA legacy.
I have one use account with one mariadb database. There are 2 mariadb users, let say: user and user_db.
And randomly appears a new user like user_uidsniduenjnfndurujdUuYgGyhNj.

This new user has access to user_db database and host is set to localhost and %. The server is binding to 127.0.0.1 only so the access from outside is not possible.

I remove the user and it appears in 1-8 hours.
No rootkit found, no suspect processes found for that user.
No other user with this issue.

I started to log all query and it seems the user is not appearing anymore, so I guess the malware is checking if general log is enabled or not.
OS reinstall in programmed soon.
Any other ideea?
I would like to find the problem before reinstall.

Thank you.
 
zEitEr said:
Hello,

Do you have a passwordless access to phpMyAdmin from DirectAdmin enabled?
Click to expand...
Yes. It seems that there is no problem with my user. DA is creating that user for phpMyadmin paswordless crap.
 
Last edited:
I love it too. But I lost 2 nights verifying every part of the server to find that malware creating strange username. Hosted data are valuable. Is there any mentiona in docs about this behaviour? Anyway, seems not to be a problem. Thank you for the ideea.
 
akadi81 said:
I love it too. But I lost 2 nights verifying every part of the server to find that malware creating strange username. Hosted data are valuable. Is there any mentiona in docs about this behaviour? Anyway, seems not to be a problem. Thank you for the ideea.
Click to expand...
same happened here, support confirmed is something normal... i would say those users must be hidden.
 
You must log in or register to reply here.
Back
Top