[cPanel hackcheck] has a uid 0 account
Hey Everyone,
Recently I received the following alert message from cPanel:
IMPORTANT: Do not ignore this email.
This message is to inform you that the account " " has user id 0 (root privileges). This may indicate that your system is compromised. To be safe, you should verify that your system is not compromised.
However, after running the following command:
Here were my results...
Nothing appears out of the ordinary. Any suggestions? Thanks, BJ [COLOR=rgb(34, 34, 34)][FONT=Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif]IMPORTANT: Do not ignore this email. This message is to inform you that the account " " has user id 0 (root privileges). This may indicate that your system is compromised. To be safe, you should verify that your system is not compromised.[COLOR=rgb(34, 34, 34)]
However, after running the following command:
# cat /etc/passwd | grep 0:0Here were my results...
root:x:0:0:root:/root:/bin/bashNothing appears out of the ordinary. Any suggestions? Thanks, BJ [COLOR=rgb(34, 34, 34)][FONT=Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif]IMPORTANT: Do not ignore this email. This message is to inform you that the account " " has user id 0 (root privileges). This may indicate that your system is compromised. To be safe, you should verify that your system is not compromised.[COLOR=rgb(34, 34, 34)]
-
Hello, Did you cat the file completely and checked for guid as well ? It result you gave could be false negative ? Also, make sure the stat output on /etc/passwd matches the date on which you created an account on your server lastly. 0 -
Check that you don't have any blank lines in your /etc/passwd file. The hackcheck Perl script does not properly check for nulls when it parses the passwd file and will report those as a null user with uid 0. 0 -
Peter, THANK YOU SO MUCH!!!!! That's exactly what it was!!! ;-) J. 0 -
I note that the referenced changelog refers to the spurious newline error, but does not address the split error I mentioned in my ticket. Is that fixed somewhere as well? 0 -
New I note that the referenced changelog refers to the spurious newline error, but does not address the split error I mentioned in my ticket. Is that fixed somewhere as well?
Could you post your ticket number so we can verify the specific issue you are referencing is addressed with this case? Thank you.0 -
Hi, The ticket I raised is : 6885261 P 0 -
Could you verify if this issue still occurs as of cPanel version 11.50.1.1 (currently only available in the "Current" build tier)? Thank you. 0 -
Well, apologies for the time taken but I only have 1 cPanel server, which I have just upgraded to WHM 11.50.1 (build 2). I have checked the hackcheck script, and whilst it does now deal with the somewhat rare issue of a blank line in the etc/passwd file, the other flaws in that script which I mentioned in the ticket I raised still exist, which basically means that for non blank (i.e. normal lines) the script NEVER succeed in the uid check so will never actually do what it is attempting to do. The 'split' error is fundamental. Hope you get this resolved at some point. :D P 0 -
Could you reopen your support ticket so we can take a closer look, or open a new ticket and post the ticket number here so we can update this thread with the outcome? Thank you. 0 -
Ticket 6885261 has been re-opened with additional notes about the split issue. P 0 -
Internal case CPANEL-1498 is now open to address the additional issues you have reported in this thread. Thank you. 0
Please sign in to leave a comment.
Comments
12 comments