On 02/03/2021 19.46, James Knott wrote:
btw, the shadow password file was changed at the same time as that .dhcpd file was created. Since there were only 3 login password in it and I know 2 of them still work, I assume the test account password was changed. I changed the password and set the account to not allow login. My next step is to remove the test user entirely.
Correlate that point in time with all logs. What were you doing at the time. It is very important to find out how that thing got in. To create /home/test the first time they need root access of some kind, so anything you do to disable that account is pointless. Then you say that the thing would restart itself. I have read on google that it restarts every halfhour, so there will be some cronjob entry somewhere. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)