ftp_scanner installed by user test?

[baden32]

I get some trouble on my Suse server using Plesk:
A process ftp_scanner1 was installed and is running.

It has been installed under "/tmp/ egg" and was owned by user "test".

As I never configured the user test on my system (however it is listed in the /etc/passwd file), I have 2 questions:

1. where this user is comming from and how to remove it from the system (is it ok to just remove the line in /etc/passwd file)?

2. what should I do in order to completely remove the "installation" of the virus ftp_scanner?

Thank you in advance for your help.
Joel.

 

[Monica@]

Hi

The user can be added/removed with
adduser / userdel. Execute
userdel test
If for some reason it cannot be removed it is also possible to remove the line in /etc/passwd.

But first you should kill all the processes which are running from the name of that user. use ps aux or lsof to get to know the info about the process and kill -9 to stop it.

Check the system with rkhunter, http://www.rootkit.nl/projects/rootkit_hunter.html
for example, probably there's also another exploits installed.

It's hard to say how the exploit can be removed, as it is necessary to get to know how it was installed, if it's compiled from sources (most probably), then it's necessary to remove the files manually with "rm".

 

[atomicturtle]

Given that the attacker(s) are adding accounts to your system, your only means of ensuring that they have been removed is to re-install from trusted media.

I have been working on a forensic response procedure here:

http://www.atomicorp.com/wiki/index.php/Compromised_System