The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[hackcheck] bob has a uid 0 account

Discussion in 'General Discussion' started by wsenter, Oct 4, 2006.

  1. wsenter

    wsenter Well-Known Member

    Joined:
    Aug 5, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Texas
    I reveived this e-mail from cPanel..

    IMPORTANT: Do not ignore this email.
    This message is to inform you that the account bob has user id 0 (root privs). This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.

    In the file "/etc/passwd" I removed the line 'bob:x:0:0::/home/pas:/bin/sh'

    Is there anyway to determine what the history for that user was to see what he might have been doing in the server? What steps do we need to take to harden the server to make sure that this does not happen again?
     
  2. Anne

    Anne Member

    Joined:
    Oct 4, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hi,
    Firstly, if some hacker has set uid;0 then please remove or disable this line.
    When hackers are logged into system they generally delete history.
    You can check from last command and from messages that who has logged into your server.

    1) Check that ps aufx | grep nobody, other that httpd no files should run as user nobody.
    2) Check your /tmp partition, If there are any suspicious files you finding
    3) Run chkroot and rkhunter on server to see which files are having problems.
    4) check all the site of server are working fine

    Also check this http://www.linuxdevcenter.com/pub/a/linux/2006/03/23/secure-your-server.html?page=1
    This may help you
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Download and install rkhunter and chkrootkit. See what the results are and post it here. If you are hit by SHV4 and SHV5 rootkits, the best you can do is backup your data, format your HD and do an OS reload.
     
  4. [Q3]

    [Q3] Member

    Joined:
    Apr 8, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Hi guys,

    I have received the same problem last night. I have disable everything and change the password for my users but the email that I receive is about the user qmail.

    IMPORTANT: Do not ignore this email.
    This message is to inform you that the account qmails has user id 0 (root privs).
    This could mean that your system was compromised (OwN3D). To be safe you should
    verify that your system has not been compromised.

    My question is does QMAIL have an effect on cpanel? If so How I could found a work around.

    Thanks,

    Franco
     
  5. [Q3]

    [Q3] Member

    Joined:
    Apr 8, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    After I did the check,

    It returns me this:
    Searching for anomalies in shell history files... Warning: `//root/.bash_history' file size is zero
    Checking `asp'... not infected
    Checking `bindshell'... INFECTED (PORTS: 465)

    Do you have a solution on how fix this?

    Thanks,

    Franco
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That looks very suspicious indeed. A user account won't be created with a UID of 0 unless you explicitly do it. The fact one was created and that root's .bash_history file has been zeroed strongly points to your server having been root compromised.

    If you are unsure of how to confirm that, then ask your datacenter for help or seek out a competent server administrator who can do that for you. Meanwhile, make sure you have a cPanel backup of all your user data as you will need to have the OS reinstalled and then restore those backups and have your server better secured.
     
  7. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I agree with Chirpy on this, ensure your clients backup is safely stored somewhere else asap. You'll need someone with a lot of knowledge to investigate your box but it does soon like you've been rooted. In such as case, you should always do an OS reload and properly secure the box then reload client data.
     

Share This Page