Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Is this what I think it is? (Backdoor or support account?)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Is this what I think it is? (Backdoor or support account?)

Just spun up a fresh Debian 10 Buster VPS from an easter egg promo
(looks like the offer thread has been deleted...I don't think they had a
provider tag). On first login, I found a /home/li directory, a valid
password entry for user li in shadow, and memberships in groups
sudo, adm, etc. No entries in authorized_keys, so I think
I'm safe. But still, doesn't this seem a bit fishy? I realize the
provider has full control/access anyway, so maybe it's nothing?

(BTW, this post was hell to edit. Cloudflare really doesn't like you talking about such things!)

Comments

  • DPDP Administrator, The Domain Guy

    You should check with your provider.

  • jarjar Patron Provider, Top Host, Veteran

    Sometimes providers intentionally keep access to perform automated tasks by user request. It’s one way to handle root password resets, for example. Probably one of the easier ways to code it. Worth checking with them, could just as well be a mistake.

  • jlayjlay Member
    edited April 2021

    I usually check specifically for this, if I find non-standard accounts I'll do a clean ISO install if possible. If clean installs aren't a choice, I might outright cancel and move. It depends how much I care to risk

    If SSH allows password logins, the account may still carry some risk

    It's too difficult to sign off on the modifications they may have made. This is the first and most obvious sign you aren't on a clean system, in my opinion

    I intentionally go for services with limited support, they should not have access. I consider it a breach of trust in this case, even if it's a simple oversight in templates

    @jar said:
    Sometimes providers intentionally keep access to perform automated tasks by user request. It’s one way to handle root password resets, for example. Probably one of the easier ways to code it. Worth checking with them, could just as well be a mistake.

    For root password resets on VMs, I believe the QEMU guest agent can assist online. Offline libguestfs absolutely works

    You're right it's often used for this, but it's often a sign you want to be somewhere else. There are better and smarter ways to go about it

    Thanked by 1jar
  • why would anyone use default template anyway?
    Perform clean install from iso.....

  • Reinstall from ISO. It could be a bad image from the provider.

  • FrankZFrankZ Veteran
    edited April 2021

    @pwned said: I found a /home/li directory, a valid
    password entry for user li in shadow, and memberships in groups
    sudo, adm, etc.

    That is likely Liang Zai's account. I think he is the sales manager and does some of the tech support at Pacifi-crack. You could think of it as a "debianuser" account but not as well known.

    The above advise to reinstall from iso would be good to follow, if they allow that option.

    EDIT: Please update us on how that VPS performs for you. Maybe network test from ping.pe/

  • raindog308raindog308 Administrator, Veteran

    That is Premier Li’s account. You’ve been hacked by the CCP.

    Thanked by 2FrankZ kkrajk
  • @tolovall said:
    why would anyone use default template anyway?
    Perform clean install from iso.....

    Is that a serious question? SMH

    Because it's fast and automated. Two clicks and two minutes instead of 50 clicks and 50 minutes.

  • @TimboJones said: Because it's fast and automated. Two clicks and two minutes instead of 50 clicks and 50 minutes.

    The lazy ass/dumbed down way of commissioning a server.

Sign In or Register to comment.