Announcement

Collapse
No announcement yet.

Mystery User Ossec

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
    #1

    Mystery User Ossec

    I discovered a mystery user named OSSEC on the login screen. I did not create this user.
    My attempts to remove it failed because the User Management does not lead anything. Instead an error message pops up announcing thatuser management does not provide an interface "KCModule".
    I am attaching a screenshot of the entire error notice.

    How to get rid of the unwanted user, please?

    I will search for the offending file first. But it is highly likely that some old modules are lying around somewhere.
    The screenshot is attached as a jpg image.
    Attached Files
    Last edited by PJJ; Jan 09, 2015, 12:28 PM. Reason: Missing attachment
    Tags: None
    • Top
    • Bottom
    #2
    Does this answer your question? https://www.alienvault.com/forums/di...-to-the-system
    • Top
    • Bottom

    Comment

      #3
      ossec is not in the Trusty repository. Where did you download it from?
      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
      – John F. Kennedy, February 26, 1962.
      • Top
      • Bottom

      Comment

        #4
        Originally posted by NickStone View Post
        Does this answer your question? https://www.alienvault.com/forums/di...-to-the-system
        Yes and No.
        Actually the link poses more questions than answers.
        I have no idea what AleinVault or related applications are.
        • Top
        • Bottom

        Comment

          #5
          I have no idea, not the faintest idea, where this thing came from.
          I just noticed the new 'user' a few days ago.

          This is a true mystery.

          How do I get rid of it?
          • Top
          • Bottom

          Comment

            #6
            run
            Code:
            dpkg -l | grep ossec
            dose it return anything ?

            VINNY
            i7 4core HT 8MB L3 2.9GHz
            16GB RAM
            Nvidia GTX 860M 4GB RAM 1152 cuda cores
            • Top
            • Bottom

            Comment

              #7
              Did you recently install some web based software? Some programs often bring in other programs.

              Here are some sites which show how ossec (HIDS -- Host based Intrusion Detection System) is installed:

              http://linuxlove.eu/install-ossec-ubuntu-14-04/

              https://bitbucket.org/jbcheng/ossec-wui

              Recognize anything?
              Last edited by GreyGeek; Jan 09, 2015, 06:12 PM.
              "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
              – John F. Kennedy, February 26, 1962.
              • Top
              • Bottom

              Comment

                #8
                To start fixing your second problem -- the malfunctioning User Manager -- what's the output of
                Code:
                dpkg -l | awk '{print $2}' | grep user
                To see whether a user ossec actually exists, what's the output of
                Code:
                grep -i ossec /etc/passwd
                • Top
                • Bottom

                Comment

                  #9
                  Originally posted by vinnywright View Post
                  run
                  Code:
                  dpkg -l | grep ossec
                  dose it return anything ?

                  VINNY
                  No, absolutely nothing.
                  • Top
                  • Bottom

                  Comment

                    #10
                    For 'dpkg -l | awk '{print $2}' | grep user':

                    dpkg -l | awk '{print $2}' | grep user
                    adduser
                    user-manager
                    userconfig
                    xdg-user-dirs


                    For 'grep -i ossec /etc/passwd':
                    grep -i ossec /etc/passwd
                    ossec:1001:1001::/var/lib/dome9/ossec:/bin/false


                    Oh, it is dome9. I installed dome9 a while ago for some important reason I cannot remember right now. Never used it thoug.
                    I did it when switching over to dedicated server and SSL in order to keep track of something. Again: I do not remember what it was.

                    It is not important anywaym as it turned out. I will remove it - if I can.
                    • Top
                    • Bottom

                    Comment

                      #11
                      GreyGeek:

                      Now I know. Looked at the referenced sites.
                      I did install dome9 a while ago to keep track of possible intrusions. I found a number of external links to our website from Russian porno websites.

                      Meanwhile we switched to a dedicated server and SSL.

                      This pretty much solves the problem of the 'mystery user OSSEC'.

                      By the way, I never logged in as OSSEC.
                      • Top
                      • Bottom

                      Comment

                        #12
                        http://support.dome9.com/knowledgeba...y-linux-server

                        sudo apt-get remove --purge dome9agent
                        "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                        – John F. Kennedy, February 26, 1962.
                        • Top
                        • Bottom

                        Comment

                          #13
                          Originally posted by PJJ View Post
                          dpkg -l | awk '{print $2}' | grep user
                          adduser
                          user-manager
                          userconfig
                          xdg-user-dirs
                          You have both the old and the new Kubuntu user manager. Please uninstall both user-manager and userconfig. Then reinstall only user-manager. That should fix the system settings module for managing users.
                          • Top
                          • Bottom

                          Comment

                            #14
                            Thank you, GreyGeek. Removed dome9.

                            Also:
                            Thank you SteveRiley. I followed your instructions and removed, then installed user-manager. After also removing userconfig.
                            Not tested the results yet.

                            In the process of the above operations I have received multiple instances of the following error message:

                            "dpkg: warning: parsing file '/var/lib/dpkg/status' near line 3778 package 'libxshmfence1:i386':
                            missing description"

                            Now what is this all about?

                            PS: Ossec is still shown on login screen. But it is not listed as a user in SystemSettings.
                            Last edited by PJJ; Jan 12, 2015, 09:37 PM.
                            • Top
                            • Bottom

                            Comment

                              #15
                              Use kuser to edit the Ossec user. Note the location of its " home" account. I doubt it is "/home/Ossec". It may not exist at all. Close the option to delete the user. if the account points to a directory or subdirectory ending in ossec then delete it. You may have to use dolphin as root to do it.
                              "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                              – John F. Kennedy, February 26, 1962.
                              • Top
                              • Bottom

                              Comment

                              Previous 1 2 template Next
                              Working...
                              X