Am I hacked or could this be normal? HTTPD running as UID 0

maestroc

• June 05, 2025 19:04

I know this error is coming from CSF but wondering if I need to worry or not.  The message infers that it is a big problem but I have never encountered this on any other cpanel server.  This is also on a cpanel solo account so there is only one account on the whole machine.

I received this the other morning in my email.  What should I do or what would you do it you received this message?

Possible hack detected.

IMPORTANT: Do not ignore this email. This message is to inform you that the account “httpd” has user ID 0 (root privileges). This may indicate that your system is compromised. To be safe, you should verify that your system is not compromised. This notice is the result of a request from “hackcheck”. The system generated this notice on Thursday, June 5, 2025 at 4:17:11 AM UTC.

• 

  cPRex Jurassic Moderator

  • June 06, 2025 17:53

  Hey there!  This is definitely something to be concerned with as cPanel doesn't create an "httpd" user on the system - Apache on cPanel has always used the "nobody" user.

  I'd recommend scanning the server with our CSI tool (https://support.cpanel.net/hc/en-us/articles/4414068220183-Using-cPanel-s-malware-scanner-CSI-script) to see if that points out any obvious compromises, but if I had to bet I would say this system is likely compromised in some way.

  0
• 

  maestroc

  • June 06, 2025 19:20

  Thank you.  I am running the script.  If it does not find anything should I still be concerned?  Or should I remove the httpd user?

  0
• 

  cPRex Jurassic Moderator

  • June 06, 2025 19:36

  I wouldn't say the script is authoritative, as no tool can be.  If it doesn't find anything I'd speak with your host to see if they can perform a thorough review of the system.  Removing he user doesn't remove any of the malicious work that may have already taken place.

  0

Please sign in to leave a comment.