I've googled this quite a bit but not found a solution.
Yesterday my office PC (Mint Helena) suddenly stopped accepting my password. I eventually found the right way to reset it, and got access again. There should only be two accounts on it, root (UID 0) and me (UID 1000). Running Administration > Users and Groups today, I find two other accounts ("dorian" and "oracle"), both with UID = 0. They each belong to a group of the same name. I cannot delete either the user accounts or group accounts from Users and Groups. If I run 'sudo deluser dorian', Mint warns me that I'll be deleting the root account. If I try to do it anyway with the --force option, I'm blocked because the account is allegedly logged in. If I try 'sudo skill -KILL -u dorian' or 'sudo pkill -KILL -u dorian', nothing happens. The same is true of the oracle account.
I tried changing the UIDs of the accounts (in Users and Groups) but the UIDs keep reverting to 0. I also tried resetting their passwords, but I can't tell if that worked (and given that the new UIDs didn't stick, I'm skeptical about the new passwords).
The PC sits behind a relatively anal firewall, I haven't installed anything from an unreliable source, and I don't think I've opened any shady e-mail attachments (which typically don't target Linux users in any case), but those two accounts sure look worrisome. Anybody have a solution less draconian than a mind-wipe of the PC?
Thanks,
Paul
Bogus user accounts (possible hack)
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Bogus user accounts (possible hack)
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
-
Husse
Re: Bogus user accounts (possible hack)
Don't really know what has happened but it does not look like something I would like to have in my system
If you have a separate home or a separate data partition I think a fresh install would be the way to go
To avoid extra work go into Synaptic and open the File menu > Save markings as and mark Save full state, not only changes
That saves what you have installed to a file which you can import into the new Synaptic and let it automatically install everything again
Depending on the speed of your system and connection you'd be back in an hour or so
If you have a separate home go through it in case there is something nasty in there
If you have a separate home or a separate data partition I think a fresh install would be the way to go
To avoid extra work go into Synaptic and open the File menu > Save markings as and mark Save full state, not only changes
That saves what you have installed to a file which you can import into the new Synaptic and let it automatically install everything again
Depending on the speed of your system and connection you'd be back in an hour or so
If you have a separate home go through it in case there is something nasty in there
-
richyrich
Re: Bogus user accounts (possible hack)
The only thing I can think of is that you are connecting to an Oracle database/server, and that "dorian" is the sysadm . . . in which they would automatically be created as users/groups, and needed for your database connection.
-
scott_R
Re: Bogus user accounts (possible hack)
Could be bad user accounts, but as it's a work computer, I'd bet it's just that the installations for Oracle and Dorian (a network security company) mapped to the root account. This is usually to make things compatible with NFS or other network setups. If you wipe out the Oracle account, you lose access to the company database, if you remove Dorian, you kill your access to the company network.
It also means they're probably logging your activities, so unless you're in a position to make such decisions, they're probably not going to be happy that you're playing around with these items. Even if you don't use the database in your position, it might have been setup by default, for future expansion.
Of course, if your company has no Oracle or Dorian software, then it's time to dig deeper and figure out what happened. Best to check with IT (or your boss if it's a small company) before you start removing things.
It also means they're probably logging your activities, so unless you're in a position to make such decisions, they're probably not going to be happy that you're playing around with these items. Even if you don't use the database in your position, it might have been setup by default, for future expansion.
Of course, if your company has no Oracle or Dorian software, then it's time to dig deeper and figure out what happened. Best to check with IT (or your boss if it's a small company) before you start removing things.
-
Husse
Re: Bogus user accounts (possible hack)
Completely missed that - and would have given a slightly different answer if I'd noticed it before I answeredmy office PC
I must slow down a bit - I think I have answered 50+ posts today
The answer by scott_R is very plausible
Re: Bogus user accounts (possible hack)
Thanks for all the responses. I probably should have mentioned that I'm at a university (business school). Our b-school is primarily a Windows shop, so the network guys let me do my own thing with my office PC. In particular, they don't have log-in privileges on my office PC (since I don't go through our domain controller), which means they couldn't have installed any accounts. We don't have any Oracle databases. I recently got them to set up a virtual server for me (the host OS is Ubuntu but the VM is running on a Windows box), so I need to check and make sure that the new accounts weren't somehow related to that (don't see how). I also need to make sure the virtual server isn't sporting any bogus accounts.
Thanks also for the tip on the reloading the OS. I do in fact have my home on a separate partition. Between updates from my Helena install CD to the latest versions and application reinstallation, it might take a while, but I'm really reluctant to have any accounts on that machine that I didn't create.
I appreciate the suggestions.
/Paul
Thanks also for the tip on the reloading the OS. I do in fact have my home on a separate partition. Between updates from my Helena install CD to the latest versions and application reinstallation, it might take a while, but I'm really reluctant to have any accounts on that machine that I didn't create.
I appreciate the suggestions.
/Paul
Re: [SOLVED] Bogus user accounts (possible hack)
Reloaded the OS and got rid of the bogus accounts. Husse's tip on Synaptic markings sped up the process considerably. Thanks all.