Unauthorized User Creation

A Debian-first guide to reviewing unexpected accounts, checking authentication file changes, and removing account-based persistence safely.

What this is

Unauthorized user creation happens when a new account is added to a system without a valid administrative reason. This is a common persistence method after compromise because it gives an attacker a reusable way back in.

New users may be obvious, or they may be hidden among service accounts, unusual home directories, or SSH key additions.

What it looks like

A user account that nobody created intentionally
Unexpected UID values or unusual home directories
SSH keys added to a user without explanation
New sudo-capable accounts or group membership changes

Detect

List all local accounts

cut -d: -f1 /etc/passwd

Review users with login shells

awk -F: '$7 !~ /(nologin|false)$/ {print $1 ":" $6 ":" $7}' /etc/passwd

Check recent auth activity

sudo grep -Ei "useradd|new user|adduser|sudo|Accepted" /var/log/auth.log

Review sudo-capable group membership

getent group sudo

Find authorized SSH keys for users

sudo find /home /root -name authorized_keys -type f -exec ls -lah {} \; -exec cat {} \;

Contain

Lock a suspicious account

sudo passwd -l <username>

Expire the account immediately

sudo chage -E 0 <username>

Remove the account from sudo if needed

sudo deluser <username> sudo

If you are not yet sure whether the account is malicious, lock it first rather than deleting it immediately.

Recover

Review the user's home directory

sudo ls -lah /home/<username>
sudo find /home/<username> -maxdepth 3 -type f

Remove unauthorized SSH keys

sudo nano /home/<username>/.ssh/authorized_keys

Delete the account if confirmed malicious

sudo deluser --remove-home <username>

Review for related persistence

sudo systemctl list-unit-files --type=service
sudo find /etc/cron* -type f
sudo grep -Ei "useradd|adduser" /var/log/auth.log

If an attacker created a user, there may also be cron jobs, services, or SSH changes intended to preserve access.

Prevent

Option 1 — Review login-capable users regularly

awk -F: '$7 !~ /(nologin|false)$/ {print $1 ":" $6 ":" $7}' /etc/passwd

Option 2 — Review sudo membership

getent group sudo

Option 3 — Restrict SSH exposure

sudo ufw allow from <trusted_ip> to any port 22
sudo ufw deny 22

Option 4 — Use SSH keys instead of passwords

ssh-copy-id user@server_ip

Option 5 — Review auth logs after major changes

sudo grep -Ei "useradd|new user|sudo|Accepted" /var/log/auth.log

Optional Tools & Hosting

Manual user and key review should come first. Future recommendations may include options that make account auditing or centralized monitoring easier, but the core workflow remains Debian-first and command-driven.

Notes

An unexpected account is a much stronger indicator than routine internet scanning.
Lock first if you need to preserve evidence while containing risk.
Check both the account itself and anything that might recreate it later.

Environment Note

All commands shown are based on Debian-based systems unless otherwise noted.