[hackcheck] bob has a uid 0 account

[wsenter]

I reveived this e-mail from cPanel..

IMPORTANT: Do not ignore this email.
This message is to inform you that the account bob has user id 0 (root privs). This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.

In the file "/etc/passwd" I removed the line 'bob:x:0:0::/home/pas:/bin/sh'

Is there anyway to determine what the history for that user was to see what he might have been doing in the server? What steps do we need to take to harden the server to make sure that this does not happen again?

 

[Anne]

Hi,
Firstly, if some hacker has set uid;0 then please remove or disable this line.
When hackers are logged into system they generally delete history.
You can check from last command and from messages that who has logged into your server.

1) Check that ps aufx | grep nobody, other that httpd no files should run as user nobody.
2) Check your /tmp partition, If there are any suspicious files you finding
3) Run chkroot and rkhunter on server to see which files are having problems.
4) check all the site of server are working fine

Also check this http://www.linuxdevcenter.com/pub/a/linux/2006/03/23/secure-your-server.html?page=1
This may help you

 

[AndyReed]

IMPORTANT: Do not ignore this email.
This message is to inform you that the account bob has user id 0 (root privs). This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.

Download and install rkhunter and chkrootkit. See what the results are and post it here. If you are hit by SHV4 and SHV5 rootkits, the best you can do is backup your data, format your HD and do an OS reload.

 

[[Q3]]

Hi guys,

I have received the same problem last night. I have disable everything and change the password for my users but the email that I receive is about the user qmail.

IMPORTANT: Do not ignore this email.
This message is to inform you that the account qmails has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should
verify that your system has not been compromised.

My question is does QMAIL have an effect on cpanel? If so How I could found a work around.

Thanks,

Franco

 

[[Q3]]

After I did the check,

It returns me this:
Searching for anomalies in shell history files... Warning: `//root/.bash_history' file size is zero
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)

Do you have a solution on how fix this?

Thanks,

Franco

 

[chirpy]

That looks very suspicious indeed. A user account won't be created with a UID of 0 unless you explicitly do it. The fact one was created and that root's .bash_history file has been zeroed strongly points to your server having been root compromised.

If you are unsure of how to confirm that, then ask your datacenter for help or seek out a competent server administrator who can do that for you. Meanwhile, make sure you have a cPanel backup of all your user data as you will need to have the OS reinstalled and then restore those backups and have your server better secured.

 

[ramprage]

I agree with Chirpy on this, ensure your clients backup is safely stored somewhere else asap. You'll need someone with a lot of knowledge to investigate your box but it does soon like you've been rooted. In such as case, you should always do an OS reload and properly secure the box then reload client data.