[cPanel hackcheck] has a uid 0 account

[biggjoe]

Hey Everyone,

Recently I received the following alert message from cPanel:

IMPORTANT: Do not ignore this email.

This message is to inform you that the account “ ” has user id 0 (root privileges). This may indicate that your system is compromised. To be safe, you should verify that your system is not compromised.

However, after running the following command:

# cat /etc/passwd | grep 0:0

Here were my results...

root:x:0:0:root:/root:/bin/bash

Nothing appears out of the ordinary.

Any suggestions?

Thanks,

BJ


[FONT=Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif]IMPORTANT: Do not ignore this email.
This message is to inform you that the account “ ” has user id 0 (root privileges). This may indicate that your system is compromised. To be safe, you should verify that your system is not compromised.[/FONT]

 

[24x7ss]

Hello,

Did you cat the file completely and checked for guid as well ? It result you gave could be false negative ? Also, make sure the stat output on /etc/passwd matches the date on which you created an account on your server lastly.

 

[Peter Green]

Check that you don't have any blank lines in your /etc/passwd file. The hackcheck Perl script does not properly check for nulls when it parses the passwd file and will report those as a null user with uid 0.

 

[biggjoe]

Peter,

THANK YOU SO MUCH!!!!! That's exactly what it was!!!

;-)

J.

 

[cPanelMichael]

Hello

I'm happy to see you were able to address the issue. Thank you for updating us with the outcome. Note this is addressed with internal case number 192573. You can monitor our change log to see when it's been released:

cPanel - 11.50 Change Log

Thank you.

 

[Peter Green]

I note that the referenced changelog refers to the spurious newline error, but does not address the split error I mentioned in my ticket. Is that fixed somewhere as well?

 

[cPanelMichael]

New I note that the referenced changelog refers to the spurious newline error, but does not address the split error I mentioned in my ticket. Is that fixed somewhere as well?

Could you post your ticket number so we can verify the specific issue you are referencing is addressed with this case?

Thank you.

 

[Peter Green]

Hi, The ticket I raised is : 6885261

P

 

[cPanelMichael]

Could you verify if this issue still occurs as of cPanel version 11.50.1.1 (currently only available in the "Current" build tier)?

Thank you.

 

[Peter Green]

Well, apologies for the time taken but I only have 1 cPanel server, which I have just upgraded to WHM 11.50.1 (build 2).

I have checked the hackcheck script, and whilst it does now deal with the somewhat rare issue of a blank line in the etc/passwd file, the other flaws in that script which I mentioned in the ticket I raised still exist, which basically means that for non blank (i.e. normal lines) the script NEVER succeed in the uid check so will never actually do what it is attempting to do. The 'split' error is fundamental.

Hope you get this resolved at some point. :D

P

 

[cPanelMichael]

Could you reopen your support ticket so we can take a closer look, or open a new ticket and post the ticket number here so we can update this thread with the outcome?

Thank you.

 

[Peter Green]

Ticket 6885261 has been re-opened with additional notes about the split issue.

P

 

[cPanelMichael]

Internal case CPANEL-1498 is now open to address the additional issues you have reported in this thread.

Thank you.