[cPanel hackcheck] has a uid 0 account

biggjoe

Member
Aug 31, 2005
5
0
151
Hey Everyone,

Recently I received the following alert message from cPanel:

IMPORTANT: Do not ignore this email.

This message is to inform you that the account “ ” has user id 0 (root privileges). This may indicate that your system is compromised. To be safe, you should verify that your system is not compromised.
However, after running the following command:

Code:
# cat /etc/passwd | grep 0:0
Here were my results...

Code:
root:x:0:0:root:/root:/bin/bash
Nothing appears out of the ordinary.

Any suggestions?

Thanks,

BJ


[FONT=Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif]IMPORTANT: Do not ignore this email.
This message is to inform you that the account “ ” has user id 0 (root privileges). This may indicate that your system is compromised. To be safe, you should verify that your system is not compromised.
[/FONT]
 

24x7ss

Well-Known Member
Sep 30, 2014
272
17
68
India
cPanel Access Level
Root Administrator
Twitter
Hello,

Did you cat the file completely and checked for guid as well ? It result you gave could be false negative ? Also, make sure the stat output on /etc/passwd matches the date on which you created an account on your server lastly.
 

Peter Green

Member
Jun 25, 2015
5
1
3
Darwin
cPanel Access Level
Root Administrator
Check that you don't have any blank lines in your /etc/passwd file. The hackcheck Perl script does not properly check for nulls when it parses the passwd file and will report those as a null user with uid 0.
 
  • Like
Reactions: biggjoe

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Hello :)

I'm happy to see you were able to address the issue. Thank you for updating us with the outcome. Note this is addressed with internal case number 192573. You can monitor our change log to see when it's been released:

cPanel - 11.50 Change Log

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
New I note that the referenced changelog refers to the spurious newline error, but does not address the split error I mentioned in my ticket. Is that fixed somewhere as well?
Could you post your ticket number so we can verify the specific issue you are referencing is addressed with this case?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Could you verify if this issue still occurs as of cPanel version 11.50.1.1 (currently only available in the "Current" build tier)?

Thank you.
 

Peter Green

Member
Jun 25, 2015
5
1
3
Darwin
cPanel Access Level
Root Administrator
Well, apologies for the time taken but I only have 1 cPanel server, which I have just upgraded to WHM 11.50.1 (build 2).

I have checked the hackcheck script, and whilst it does now deal with the somewhat rare issue of a blank line in the etc/passwd file, the other flaws in that script which I mentioned in the ticket I raised still exist, which basically means that for non blank (i.e. normal lines) the script NEVER succeed in the uid check so will never actually do what it is attempting to do. The 'split' error is fundamental.

Hope you get this resolved at some point. :D

P
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Could you reopen your support ticket so we can take a closer look, or open a new ticket and post the ticket number here so we can update this thread with the outcome?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Internal case CPANEL-1498 is now open to address the additional issues you have reported in this thread.

Thank you.