Possible root compromise

Shirvo

• December 29, 2016 21:25

Hi All, "Possible root compromise: User account kurd is a superuser (UID 0)" I started getting this email this morning and it comes every 30 minutes or so. I have looked at all the users and can't find one called "kurd". Is this "kurd" a built in account or should I be worried. I did notice that I was not getting root login notifications until I restarted lfd. Thanks in advance

• 

  SysSachin

  • December 30, 2016 10:09

  Hello, If there is user account with (UID 0) then need to be worry about that. You have to change root password and check server with help your server admin.

  0
• 

  quizknows

  • December 30, 2016 19:59

  If you do not know of that account then your server is almost certainly root compromised. You should at this point consider re-image (that is, move all your accounts to a new server with a new kernel and fresh root password).

  0
• 

  joaosavioli

  • January 05, 2017 12:43

  Hello Shirvo, Did you try to run rootkits and backdoor detect program? I recommend you try it first. chkrootkit -- locally checks for signs of a rootkit Lynis - Security auditing and hardening tool for Linux/Unix You have more information here: Tips to Make Your Server More Secure - cPanel Knowledge Base - cPanel Documentation Last week I had found an process suspect running as root and it was a cpanel process. Good lucky Joao

  0
• 

  cPanelMichael

  • January 06, 2017 17:22

  Hello, You may also want to consult with a qualified system administrator if you'd like additional investigation. We provide a list of companies offering system administration services at: System Administration Services | cPanel Forums Thank you.

  0

Please sign in to leave a comment.