cPanel Forums
03-19-2007, 11:39 AM
|
|||
|
|||
|
account daemon has user id 0 (root privs)
Hi,
For one of my server I received following email:- ############################################ IMPORTANT: Do not ignore this email. This message is to inform you that the account daemon has user id 0 (root privs). This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised. ############################################ When I checked /etc/passwd, I found it like this:- root@host [/tmp]# cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:0:2:daemon:/sbin:/bin/sh adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin I believe daemon is a system account, but its privs are not correct. Is server actually compromised or privs just just got corrupt. Any suggestion will be appriciated. Thanks in advance. UKA     
|
|
03-19-2007, 12:01 PM
|
|||
|
|||
|
No one else should have root but the root user.
Scan your server for rootkits and check results of netstat and ps results.
__________________
Upload Guardian 2.0 - Sign up for our early beta ServerProgress - Server security, consulting and assistance
|
|
03-19-2007, 12:04 PM
|
||||
|
||||
|
Indeed. Unless you changed passwd yourself, then on a default Linux server the daemon UID:GID should be 2:2, the fact it is 0 could indicate a root compromise.
__________________
Jonathan Michaelson cPanel Forum Moderator Need your cPanel servers secured and tuned? cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf http://www.configserver.com
|
|
03-28-2007, 11:37 AM
|
|||
|
|||
|
Quote:
I recommend that you do the following ASAP ... 1. Change the daemon line in /etc/passwd to the following: Code:
daemon:x:2:2:daemon:/sbin:/sbin/nologin professional server security specialist to review your server immediately because chances are that whoever hacked your system very likely gave themselves more than one single backdoor and you need an expert to review the server and find out what other compromises have been made to your server, software, or operating system. 3. Install Chirpy's fine security scripts and firewall to help prevent further exploit 4. Lock down your server and close all the security vulnerabilities 5. If necessary, have the OS reloaded on the server
|
 |
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT -5. The time now is 08:33 PM.
Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
© cPanel Inc
