log has a uid 0 account - Possible hack detected.

suatkocabas

• February 03, 2021 05:57

hi, I received the following alert message from cPanel:

IMPORTANT: Do not ignore this email. This message is to inform you that the account "log" has user ID 0 (root privileges). This may indicate that your system is compromised. To be safe, you should verify that your system is not compromised.

# cat /etc/passwd | grep 0:0
Return Message [root@vmi304273 ~]# cat /etc/passwd | grep 0:0 root:x:0:0:root:/root:/bin/bash log:x:0:0::/home/log:/bin/bash
Any suggestions? how can i delete it and where is the vulnerability

• 

  suatkocabas

  • February 03, 2021 11:09

  when i can try [root@vmi304273 ~]# cat /etc/passwd | grep 0:0 root:x:0:0:root:/root:/bin/bash log:x:0:0::/home/log:/bin/bash [root@vmi304273 ~]# userdel -r log userdel: user log is currently used by process 1
  and delete it [root@vmi304273 ~]# userdel -f log userdel: user log is currently used by process 1 [root@vmi304273 ~]# sudo killall -u log Cannot find user log [root@vmi304273 ~]# sudo killall log [root@vmi304273 ~]# userdel -f log userdel: user 'log' does not exist [root@vmi304273 ~]# userdel -r log userdel: user 'log' does not exist [root@vmi304273 ~]# cat /etc/passwd | grep 0:0 root:x:0:0:root:/root:/bin/bash [root@vmi304273 ~]#
  OK where is the vulnerability??????

  0
• 

  GOT

  • February 03, 2021 13:16

  what does ps aux|grep log show?

  0
• 

  suatkocabas

  • February 03, 2021 13:24

  what does ps aux|grep log show?

  
  [root@vmi304273 ~]# ps aux|grep log root 628 0.0 0.0 24472 1696 ? Ss 09:38 0:09 /usr/lib/systemd/systemd-logind root 944 0.1 0.1 313412 42984 ? Ssl 09:38 0:42 /usr/sbin/rsyslogd -n dovenull 1110 0.0 0.0 46868 4544 ? S 09:38 0:00 dovecot/pop3-login dovenull 1111 0.0 0.0 49308 7200 ? S 09:38 0:06 dovecot/imap-login dovenull 1117 0.0 0.0 46864 4016 ? S 09:38 0:00 dovecot/pop3-login dovenull 1118 0.0 0.0 48764 6388 ? S 09:38 0:03 dovecot/imap-login root 1462 0.0 0.0 26300 2748 ? SN 09:38 0:00 cpanellogd - sleeping for logs root 2189 0.0 0.0 12800 1404 ? S 09:39 0:08 /usr/local/cpanel/bin/splitlogs --dir=/etc/apache2/logs/domlogs --main=vmi304273.contaboserver.net --suffix=-bytes_log root 2191 0.0 0.0 12832 1416 ? S 09:39 0:08 /usr/local/cpanel/bin/splitlogs --dir=/etc/apache2/logs/domlogs --main=vmi304273.contaboserver.net --mainout=/etc/apache2/logs/access_log root 7936 0.0 0.0 10292 1480 ? S 15:12 0:01 dovecot/log root 20848 0.0 0.0 112812 964 pts/0 S+ 17:24 0:00 grep --color=auto log
  

  0
• 

  GOT

  • February 03, 2021 15:49

  That first column is the user. None of the lsited users are the user log, yet when you try to remove the user it claims the usr is held due to locked processes. I would say that your server is likely severly compromised. I would advise you get a new server and migrate your data to this new server. A server with this level of compromise should not be trusted.

  0
• 

  cPRex Jurassic Moderator

  • February 03, 2021 16:14

  I agree with @GOT - anytime there is a user created with PID 0 it would indicate someone with root access created the user. If you don't know who that was, and you haven't had any work done on the machine recently, the system has been compromised. Migrating your data to a new machine with a fresh installation of the OS and cPanel is the only way to guarantee the issue is resolved and the system is secure.

  0
• 

  suatkocabas

  • February 04, 2021 05:29

  thanks for your answers. @GOT @cPRex

  0

Please sign in to leave a comment.