The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

account daemon has user id 0 (root privs)

Discussion in 'General Discussion' started by ukagg, Mar 19, 2007.

  1. ukagg

    ukagg Active Member

    Joined:
    Aug 14, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    For one of my server I received following email:-

    ############################################
    IMPORTANT: Do not ignore this email.
    This message is to inform you that the account daemon has user id 0 (root privs).
    This could mean that your system was compromised (OwN3D). To be safe you should
    verify that your system has not been compromised.
    ############################################

    When I checked /etc/passwd, I found it like this:-

    root@host [/tmp]# cat /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    bin:x:1:1:bin:/bin:/sbin/nologin
    daemon:x:0:2:daemon:/sbin:/bin/sh
    adm:x:3:4:adm:/var/adm:/sbin/nologin
    lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
    sync:x:5:0:sync:/sbin:/bin/sync
    shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
    halt:x:7:0:halt:/sbin:/sbin/halt
    mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
    news:x:9:13:news:/etc/news:
    uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin


    I believe daemon is a system account, but its privs are not correct. Is server actually compromised or privs just just got corrupt. Any suggestion will be appriciated.

    Thanks in advance.
    UKA
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    No one else should have root but the root user.

    Scan your server for rootkits and check results of netstat and ps results.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Indeed. Unless you changed passwd yourself, then on a default Linux server the daemon UID:GID should be 2:2, the fact it is 0 could indicate a root compromise.
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    You have definitely been hacked!

    I recommend that you do the following ASAP ...

    1. Change the daemon line in /etc/passwd to the following:
    Code:
    daemon:x:2:2:daemon:/sbin:/sbin/nologin
    
    2. Get myself (best option - 32 years experience) or another well experienced
    professional server security specialist to review your server immediately because
    chances are that whoever hacked your system very likely gave themselves more
    than one single backdoor and you need an expert to review the server and find out
    what other compromises have been made to your server, software, or operating system.

    3. Install Chirpy's fine security scripts and firewall to help prevent further exploit

    4. Lock down your server and close all the security vulnerabilities

    5. If necessary, have the OS reloaded on the server
     
Loading...

Share This Page