View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions How can I check to see if any users have been added or removed recently on my Linode?
Log in to Ask a Question

How can I check to see if any users have been added or removed recently on my Linode?

Linode Staff

I'm cleaning my system from a compromise, and want to check to see if any users were added or removed on my Linode. How do I do that?

1 Reply

Linode Staff

You can check to see if any users were created or deleted recently by checking the file /var/log/auth.log. When I deploy a new server and create a user with a StackScript I use, this is what I find in auth.log:

Mar  6 17:29:24 localhost groupadd[1182]: group added to /etc/group: name=testaccount, GID=1000
Mar  6 17:29:24 localhost groupadd[1182]: group added to /etc/gshadow: name=testaccount
Mar  6 17:29:24 localhost groupadd[1182]: new group: name=testaccount, GID=1000
Mar  6 17:29:24 localhost useradd[1186]: new user: name=testaccount, UID=1000, GID=1000, home=/home/testaccount, shell=/bin/bash
Mar  6 17:29:24 localhost usermod[1194]: change user 'testaccount' password
Mar  6 17:29:24 localhost chfn[1199]: changed user 'testaccount' information
Mar  6 17:29:24 localhost chpasswd[1204]: pam_unix(chpasswd:chauthtok): password changed for testaccount
Mar  6 17:29:24 localhost gpasswd[1207]: user testaccount added by root to group sudo

Deleted users will show similar, but opposite entries.

If your Linode has been compromised, you should also check out this post as well for instructions on how to investigate the compromise and recover your Linode.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct