User root dissapear

Question

I have a debian 8 box. It is a plesk server with 90+ websites.

It seems somebody access to my server and delete the user root. I go to /etc/passwd and the file is not owned by root:root is owned by hacker:root as hacker is an username of the person who probably do this.

I can´t write on /etc/passwd and there is no root:x:0:0:root:/root:/bin/bash line. I have this line:

hacker:fiMWeeeegx9rM:0:0:pwned:/root:/bin/bash

And now no root proccess are running, all proccess run under hacker name in the server.

Two questions:

1.- I think I can reboot the server to change the hacker user password but how I can undo the changes, restore root password and all proccess that run under hacek username run again under root name?

2.- The access to the server is only rsa key and IP. How it is possible this? If I fix it, how can I protect the box in the future?

Thanks

Answer 1

The comments below your question have the correct answer: as you don’t know what other changes the hacker made, your best option is to reinstall from backup. However, beware: often intruders own your servers without being noticed, stay there for weeks or months, do whatever they want, and leave visible traces like changing /etc/passwd only when they want to be noticed. Backups made in the meantime might already be compromised, so even reinstalling from backup must be done with some care. A good security auditing from a professional security expert is a must, and this is the only answer I can give to your second question.

Just a side note: processes run by userid, not by username. The fact that you see them listed under hacker is just because that is the name corresponding to uid 0 in /etc/passwd. If you could write to /etc/passwd and change hacker back to root that name would instantly disappear. But then again, this wouldn’t undo any other damage the intruder might have done.

My sympathies.