CloudAtCost backdoor closed

Alex, February 12, 2016 16:33
In a previous post I wrote about the wikus backdoor in Debian virtual machines.

No official comments

There has been no official announcement from CloudAtCost in this matter. Not on their own website nor on the @cloudatcost twitter account. I have been checking their images every day or every other day and yesterday I was tipped the templates were updated. I have built two new Virtual Machines in both data centers to verify the wikus user status.

Backdoor Closed

CloudAtCost has finally fixed this issue by removing the wikus user, group and home directory from the template. For new instances, no backdoor user will be added to your Debian system. My advice for existing machines: check the /etc/passwd file for “hidden” users.

Traces of wikus

After a more detailed inspection of the new Debian image CloudAtCost provides, I noticed they simply removed the user using the standard linux tools. The references to “wikus” still exist in the backup files of the shadow password file (/etc/shadow-) and all mail to root will be sent to the nonexistent user wikus (/etc/aliases)