Hi,
A user systemd was created with root privileged on FreeBSD, once we started digging more into this we found the .bash_history file under his home directory which he created in /lib/.systemd, his history explained that he downloaded some log tamper script in order to hide his appearance but fortunately he wasn't able to install it (some binary error occurred). What more interesting is, generally when you create a user via root the following log is created in userlog :
But when we checked about the creation log of that mysterious 'systemd' user, this is what we found :
So systemd was created by some unknown user which doesn't exist anywhere in system. We also thought it might be privilege escalation OpenSSH vulnerability to gain root access,so here is the ssh version but we failed to find any known vulnerability about this version :
Here is the FreeBSD version :
If you guys can help me tracing the issue, it'd be very helpful.
A user systemd was created with root privileged on FreeBSD, once we started digging more into this we found the .bash_history file under his home directory which he created in /lib/.systemd, his history explained that he downloaded some log tamper script in order to hide his appearance but fortunately he wasn't able to install it (some binary error occurred). What more interesting is, generally when you create a user via root the following log is created in userlog :
Code:
userlog:2016-02-25 22:36:55 [[B]root[/B]:useradd] systemd(6) home /myuser made
Code:
userlog:2016-02-25 22:36:55 [[B]unknown[/B]:useradd] systemd(6):wheel(0):system daemon:/lib/.systemd:/usr/local/bin/bash
userlog:2016-02-25 22:36:55 [[B]unknown[/B]:useradd] systemd(6) home /lib/.systemd made
So systemd was created by some unknown user which doesn't exist anywhere in system. We also thought it might be privilege escalation OpenSSH vulnerability to gain root access,so here is the ssh version but we failed to find any known vulnerability about this version :
Code:
OpenSSH_6.6.1p1, OpenSSL 1.0.1j-freebsd 15 Oct 2014
Code:
10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401