Community Forums
Connect with us on LinkedIn
Community Notice
account daemon has user id 0 (root privs)
  
+ Reply to Thread
Results 1 to 4 of 4
  1. 03-19-2007 12:39 PM #1
    ukagg
    ukagg is offline
    Registered User
    Join Date
    Aug 2002
    Posts
    35

    Default account daemon has user id 0 (root privs)

    Hi,

    For one of my server I received following email:-

    ############################################
    IMPORTANT: Do not ignore this email.
    This message is to inform you that the account daemon has user id 0 (root privs).
    This could mean that your system was compromised (OwN3D). To be safe you should
    verify that your system has not been compromised.
    ############################################

    When I checked /etc/passwd, I found it like this:-

    root@host [/tmp]# cat /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    bin:x:1:1:bin:/bin:/sbin/nologin
    daemon:x:0:2:daemon:/sbin:/bin/sh
    adm:x:3:4:adm:/var/adm:/sbin/nologin
    lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
    sync:x:5:0:sync:/sbin:/bin/sync
    shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
    halt:x:7:0:halt:/sbin:/sbin/halt
    mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
    news:x:9:13:news:/etc/news:
    uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin


    I believe daemon is a system account, but its privs are not correct. Is server actually compromised or privs just just got corrupt. Any suggestion will be appriciated.

    Thanks in advance.
    UKA
    Reply With Quote Reply With Quote
  2. 03-19-2007 01:01 PM #2
    ramprage
    ramprage is offline
    Member
    Join Date
    Jul 2002
    Location
    Canada
    Posts
    675

    Default

    No one else should have root but the root user.

    Scan your server for rootkits and check results of netstat and ps results.
    Upload Guardian 2.0 - Sign up for our early beta
    ServerProgress - Server security, consulting and assistance
    Reply With Quote Reply With Quote
  3. 03-19-2007 01:04 PM #3
    chirpy
    chirpy is offline
    Super Moderator This forum account has been confirmed by cPanel staff to represent a vendor. chirpy's Avatar
    Join Date
    Jun 2002
    Location
    Go on, have a guess
    Posts
    13,495

    Default

    Indeed. Unless you changed passwd yourself, then on a default Linux server the daemon UID:GID should be 2:2, the fact it is 0 could indicate a root compromise.
    Jonathan Michaelson

    Need your cPanel servers secured and tuned?
    cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
    Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
    http://www.configserver.com
    Reply With Quote Reply With Quote
  4. 03-28-2007 12:37 PM #4
    Spiral
    Spiral is offline
    BANNED
    Join Date
    Jun 2005
    Location
    Wild Wild West
    Posts
    2,025
    Send a message via AIM to Spiral

    Default

    daemon:x:0:2:daemon:/sbin:/bin/sh
    You have definitely been hacked!

    I recommend that you do the following ASAP ...

    1. Change the daemon line in /etc/passwd to the following:
    Code:
    daemon:x:2:2:daemon:/sbin:/sbin/nologin
    2. Get myself (best option - 32 years experience) or another well experienced
    professional server security specialist to review your server immediately because
    chances are that whoever hacked your system very likely gave themselves more
    than one single backdoor and you need an expert to review the server and find out
    what other compromises have been made to your server, software, or operating system.

    3. Install Chirpy's fine security scripts and firewall to help prevent further exploit

    4. Lock down your server and close all the security vulnerabilities

    5. If necessary, have the OS reloaded on the server
    Reply With Quote Reply With Quote
«   .htaccess format | Cannot delete subdomain »     
Similar Threads & Tags
Similar threads

  1. MySQL privs borked for a backup user
    By websnail.net in forum cPanel and WHM Discussions
    Replies: 1
    Last Post: 01-17-2008, 06:17 AM
  2. Bandwitdh logged on root account when browsing to root/~USER, is this by design?
    By andykb in forum cPanel and WHM Discussions
    Replies: 1
    Last Post: 11-25-2007, 03:35 PM
  3. Can't access phpmyadmin using reseller with root privs
    By hpinto in forum cPanel and WHM Discussions
    Replies: 3
    Last Post: 08-21-2007, 11:45 AM
  4. e-mails from cron daemon and root
    By karel_wolfs in forum cPanel and WHM Discussions
    Replies: 1
    Last Post: 11-13-2005, 07:44 AM
  5. Grant end-user email account admin privs
    By imacurious in forum E-mail Discussions
    Replies: 3
    Last Post: 03-10-2005, 12:45 PM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube