CloudAtCost backdoor in Debian Linux

Alex, January 22, 2016 09:41
VPS host CloudAtCost, the host that does not charge you monthly fees, lets customers install Debian Linux with an active account that is not documented. Username is wikus, password unknown at the moment (see below).

Systems affected

Older Debian 7 images do not have this wikus user installed. Only the newer Debian 8. But Debian 7 is no longer selectable. Other operating systems like CentOS, FreeBSD and Windows do not come with a backdoor user.
To determine if your system has a backdoor user installed, use the following command:

$ grep bash /etc/passwd | cut -f1 -d:

This will show you all users with a shell. Expected users are root, admin, user or similar. You do not expect to find a user "wikus" there. You can also find a home directory for this user in /home/wikus.

Password

What is the password you ask? Well, I don’t know. I do have the hash as you can see above and what would be more ironic than to use a CloudAtCost VPS to crack this hash. Running as we speak. Stay tuned for more information. Follow me on @hackpending for more information.

Solution:

First, delete the user from your VPS as soon as possible. The hash is publicly available and at some point someone will crack the password which will allow the entire internet to log on to your machine. And the person who created the wikus account will know the password.
# deluser wikus
# delgroup wikus
# rm -rf /home/wikus
#

Response from CloudAtCost:

I asked CloudAtCost about this and they have not yet responded to my email, ticket and tweet. (Last updated at 22-JAN-2016 at 15:20 UTC)


Update 22-JAN-2016 17:50 UTC

Co-founder Gerald Camacho replies to e-mail: "I'll have someone fix it.". Last build I did (19:20 UTC) still contains wikus user.

Update 22-JAN-2016 21:34 UTC

Last build I did (21:30 UTC) still contains wikus user with the same hash/password.

Update 27-JAN-2016 09:30 UTC

Last build I did (09:30 UTC) still contains wikus user with the same hash/password.

Update 28-JAN-2016 14:00 UTC

Last build I did (14:00 UTC) still contains wikus user with the same hash/password.

Update 29-JAN-2016 14:00 UTC

Last build I did (14:00 UTC) still contains wikus user with the same hash/password.

Update 1-FEB-2016 13:00 UTC

Last build I did (13:00 UTC) still contains wikus user with the same hash/password.

Update 2-FEB-2016 21:00 UTC

Last build I did (21:00 UTC) still contains wikus user with the same hash/password.

Update 8-FEB-2016 21:00 UTC

Last build I did (12:00 UTC) still contains wikus user with the same hash/password.

Update 12-FEB-2016 20:00 UTC

The Wikus user has been removed from the template