Skip to main content

This message is to inform you that the account - has user id 0 (root privs).

spindoc
Recently I have received this message. I tried to follow the instructions of an old post by tandisweb but I ran into an issue. (original post is below my question) Here is my problem. When I grep the passwd file I see this: root:x:0:0:root:/root:/bin/bash dgc:x:0:0::/home/dgc:/bin/bash "dgc" should obviously not be there. so when I edit the passwd file the user dgc does NOT show up. Each night i get a ganteng.htm file showing up in all of my public_html files. What am I do do? This user has root and I can't get rid of it. PS, I did try to use delete user command, it completely cut me out of my server I had to go to Godaddy to have them put my root account back in again, shut down the websites and everything. Original Post from which instructions I followed. Default Re: [hackcheck] http has a uid 0 account Hi Dears We can fix this problem -------------------------------------- [hackcheck] admin has a uid 0 account IMPORTANT: Do not ignore this email. This message is to inform you that the account admin has user id 0 (root privs). This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised. -------------------------------------- 1-First step check which account has UID 0 in ssh command line >> cat /etc/passwd | grep 0:0 in result you must seen same these line ... root:x:0:0:root:/root:/bin/bash admin:x:0:0:admin:/home/admin:/bin/bash <<<<<<<<<<<<<<<<<<<<<> /etc 3-nano -w passwd 4-Find >> admin:x:0:0:admin:/home/admin:/bin/bash, and remove that line <<<<<<<<<<<<<<<<<<<> press Y 7-check fix this by >> cat passwd 8-restart apache 9- Finished . enjoy it

Comments

6 comments

Date Votes
  • cPMarkF
    Unfortunately, cPanel cannot assist you with security related issues, especially if you believe your server might be compromised. We do maintain a list of qualified system administrator service providers here: [url=http://go.cpanel.net/sysadmin]All Services
    0
  • spindoc
    They why have a forum called "security"? There are all kinds of other threads asking about these things, why can't I?
    0
  • cPMarkF
    I'm sorry, I didn't mean to be vague. To clarify, we cannot assist you with your specific situation as far as having a ghosted root account, which might be indicative of your server having been compromised. The security forum is for advice and assistance on keeping the server secure to prevent compromises. Thank you for your understanding.
    0
  • spindoc
    OK. So than assuming that I can get this user removed. How do I prevent it from happening again? It seems to me that being able to create a root priviledge user should be number one on the default security features, doesn't that make sense? I have a Firewall, IP tables, Cpanel set to the maximum security possible, I monitor my websites daily, yet somehow someone was able to create a root user that I cannot remove. And so far, Linux, Centos, Cpanel, Godaddy have all said the same thing. "We can't help you with security"
    0
  • cPanelMichael
    Hello :) It's a good idea to reinstall the OS/cPanel if your server was rooted. While deleting the individual user that had root access might be sufficient, you can never truly know what other system modifications were made that could make your server vulnerable to additional attacks. The cPanel Security Advisor is a useful tool for reviewing the overall security of your system once you have the new server setup: "WHM Home " Security Center " Security Advisor" Thank you.
    0
  • quizknows
    Are you with a managed hosting provider? These things (typically) happen one of two ways: Either you or another admin accessed the infected server from another machine that is already infected and has a keylogger/trojan, OR Your kernel was out of date, and an infected website was able to gain root access. Like Michael said, removing the user is not sufficient. Someone had/has root access; they could have erased logs, trojaned the SSH service, etc. The only real way to fix this is to check all your local machines for malware FIRST, then get a new server with a clean OS and migrate your sites and data to that server. Do not log into your new server from the infected one. It's usually best if you don't know how to do these things yourself to pay for hosting at a managed hosting provider who can do this for you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post