The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[cPanel hackcheck] has a uid 0 account

Discussion in 'Security' started by biggjoe, Jun 17, 2015.

  1. biggjoe

    biggjoe Member

    Joined:
    Aug 31, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Hey Everyone,

    Recently I received the following alert message from cPanel:

    However, after running the following command:

    Code:
    # cat /etc/passwd | grep 0:0
    Here were my results...

    Code:
    root:x:0:0:root:/root:/bin/bash
    Nothing appears out of the ordinary.

    Any suggestions?

    Thanks,

    BJ


    [FONT=Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif]IMPORTANT: Do not ignore this email.
    This message is to inform you that the account “ ” has user id 0 (root privileges). This may indicate that your system is compromised. To be safe, you should verify that your system is not compromised.
    [/FONT]
     
  2. 24x7ss

    24x7ss Well-Known Member

    Joined:
    Sep 30, 2014
    Messages:
    271
    Likes Received:
    16
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Did you cat the file completely and checked for guid as well ? It result you gave could be false negative ? Also, make sure the stat output on /etc/passwd matches the date on which you created an account on your server lastly.
     
  3. Peter Green

    Peter Green Member

    Joined:
    Jun 25, 2015
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Darwin
    cPanel Access Level:
    Root Administrator
    Check that you don't have any blank lines in your /etc/passwd file. The hackcheck Perl script does not properly check for nulls when it parses the passwd file and will report those as a null user with uid 0.
     
    biggjoe likes this.
  4. biggjoe

    biggjoe Member

    Joined:
    Aug 31, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Peter,

    THANK YOU SO MUCH!!!!! That's exactly what it was!!!

    ;-)

    J.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I'm happy to see you were able to address the issue. Thank you for updating us with the outcome. Note this is addressed with internal case number 192573. You can monitor our change log to see when it's been released:

    cPanel - 11.50 Change Log

    Thank you.
     
  6. Peter Green

    Peter Green Member

    Joined:
    Jun 25, 2015
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Darwin
    cPanel Access Level:
    Root Administrator
    I note that the referenced changelog refers to the spurious newline error, but does not address the split error I mentioned in my ticket. Is that fixed somewhere as well?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you post your ticket number so we can verify the specific issue you are referencing is addressed with this case?

    Thank you.
     
  8. Peter Green

    Peter Green Member

    Joined:
    Jun 25, 2015
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Darwin
    cPanel Access Level:
    Root Administrator
    Hi, The ticket I raised is : 6885261

    P
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you verify if this issue still occurs as of cPanel version 11.50.1.1 (currently only available in the "Current" build tier)?

    Thank you.
     
  10. Peter Green

    Peter Green Member

    Joined:
    Jun 25, 2015
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Darwin
    cPanel Access Level:
    Root Administrator
    Well, apologies for the time taken but I only have 1 cPanel server, which I have just upgraded to WHM 11.50.1 (build 2).

    I have checked the hackcheck script, and whilst it does now deal with the somewhat rare issue of a blank line in the etc/passwd file, the other flaws in that script which I mentioned in the ticket I raised still exist, which basically means that for non blank (i.e. normal lines) the script NEVER succeed in the uid check so will never actually do what it is attempting to do. The 'split' error is fundamental.

    Hope you get this resolved at some point. :D

    P
     
    #10 Peter Green, Sep 11, 2015
    Last edited by a moderator: Sep 11, 2015
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you reopen your support ticket so we can take a closer look, or open a new ticket and post the ticket number here so we can update this thread with the outcome?

    Thank you.
     
  12. Peter Green

    Peter Green Member

    Joined:
    Jun 25, 2015
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Darwin
    cPanel Access Level:
    Root Administrator
    Ticket 6885261 has been re-opened with additional notes about the split issue.

    P
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator

Share This Page