Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

account "xxx" has user ID 0 (root privileges)

Discussion in 'Security' started by erdeme61, Jul 28, 2017.

  1. erdeme61

    erdeme61 Registered

    Joined:
    Jul 28, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Turkey
    cPanel Access Level:
    Root Administrator
    Hey everyone, i recently started to get mails from my whm says this :

    Code:
       
    IMPORTANT: Do not ignore this email.
    
    This message is to inform you that the account “apache_user” has user ID 0 (root privileges). This may indicate that your system is compromised. To be safe, you should verify that your system is not compromised.
    
    This notice is the result of a request from “hackcheck”.
    The system generated this notice on Thursday, July 27, 2017 at 7:59:37 PM UTC.
    “Root Compromise Checks” notifications are currently configured to have an importance of “High”. You can change the importance or disable this type of notification in WHM’s Contact Manager at: https://xxxx:2087/scripts2/editcontact?event=Check::Hack
    
    Do not reply to this automated message.
    i did some research about this and i found this thread : [cPanel hackcheck] has a uid 0 account

    i used the command line:
    Code:
    # cat /etc/passwd | grep 0:0
    the result was this:
    Code:
    root:x:0:0:root:/root:/bin/bash
    apache_user:x:0:0::/home/apache_user:/bin/bash
    Does this mean im hacked or is it normal thing ? i deleted the line says apache_user, what can i do to avoid this or what can cause this i dont know.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hi @erdeme61,

    The /etc/passwd entry you are referring to does sometimes indicate a root-level compromise, but it's difficult to diagnose this type of issue without access to the affected system. Feel free to open a support ticket using the link in my signature and we can run some basic checks to see if there are any obvious signs of a root compromise.

    There's a document on this topic at:

    Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
Loading...

Share This Page