Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

account "xxx" has user ID 0 (root privileges)

Discussion in 'Security' started by erdeme61, Jul 28, 2017.

  1. erdeme61

    erdeme61 Registered

    Joined:
    Jul 28, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Turkey
    cPanel Access Level:
    Root Administrator
    Hey everyone, i recently started to get mails from my whm says this :

    Code:
       
    IMPORTANT: Do not ignore this email.
    
    This message is to inform you that the account “apache_user” has user ID 0 (root privileges). This may indicate that your system is compromised. To be safe, you should verify that your system is not compromised.
    
    This notice is the result of a request from “hackcheck”.
    The system generated this notice on Thursday, July 27, 2017 at 7:59:37 PM UTC.
    “Root Compromise Checks” notifications are currently configured to have an importance of “High”. You can change the importance or disable this type of notification in WHM’s Contact Manager at: https://xxxx:2087/scripts2/editcontact?event=Check::Hack
    
    Do not reply to this automated message.
    i did some research about this and i found this thread : [cPanel hackcheck] has a uid 0 account

    i used the command line:
    Code:
    # cat /etc/passwd | grep 0:0
    the result was this:
    Code:
    root:x:0:0:root:/root:/bin/bash
    apache_user:x:0:0::/home/apache_user:/bin/bash
    Does this mean im hacked or is it normal thing ? i deleted the line says apache_user, what can i do to avoid this or what can cause this i dont know.
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,802
    Likes Received:
    1,895
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @erdeme61,

    The /etc/passwd entry you are referring to does sometimes indicate a root-level compromise, but it's difficult to diagnose this type of issue without access to the affected system. Feel free to open a support ticket using the link in my signature and we can run some basic checks to see if there are any obvious signs of a root compromise.

    There's a document on this topic at:

    Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice