One day, while monitoring your server, you notice a user you do not recognize logged in through SSH or another method. What should you do in this situation?
First of all, do not panic. It may seem horrible, but is probably not as bad as you think. The fact that you still have control and a user with lesser privileges is logged in is a good thing. Next, you need to ask yourself some important questions:
1. Is this user actually unauthorized? Perhaps you created a user a long time ago and left it with a weak password, or maybe it belonged to someone who no longer works at your organization.
2. Is it an authentic non-human user? Typically, your web server, database server, and many other services will run as non-human users without passwords. These users may be: “nobody”, “named”, “syslog”, “apache”, and others. If you are unsure about a user, look up the user in your server’s documentation or community help forums to make sure it is not one of these non-human users. It will also help to know what the user is doing.
3. Is the user running a standard program or something you do not recognize? If you find out the user is running Apache, then obviously, it is not something unusual. But if it is a strange script or anything else you do not recognize, it warrants further investigation.
4. If you go through all of these steps and still do not know how this user got access, you may have a more serious problem. Only root should be able to create users, so you will need to make sure your root account has not been infiltrated. This could be from any number of types of attacks, even a security flaw in a web application. If necessary, you may even need to hire a security expert to investigate.