[hackcheck] bob has a uid 0 account

wsenter

Well-Known Member
Aug 5, 2003
88
0
156
Texas
I reveived this e-mail from cPanel..

IMPORTANT: Do not ignore this email.
This message is to inform you that the account bob has user id 0 (root privs). This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.

In the file "/etc/passwd" I removed the line 'bob:x:0:0::/home/pas:/bin/sh'

Is there anyway to determine what the history for that user was to see what he might have been doing in the server? What steps do we need to take to harden the server to make sure that this does not happen again?
 

Anne

Member
Oct 4, 2006
9
0
151
Hi,
Firstly, if some hacker has set uid;0 then please remove or disable this line.
When hackers are logged into system they generally delete history.
You can check from last command and from messages that who has logged into your server.

1) Check that ps aufx | grep nobody, other that httpd no files should run as user nobody.
2) Check your /tmp partition, If there are any suspicious files you finding
3) Run chkroot and rkhunter on server to see which files are having problems.
4) check all the site of server are working fine

Also check this http://www.linuxdevcenter.com/pub/a/linux/2006/03/23/secure-your-server.html?page=1
This may help you
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,221
4
193
Minneapolis, MN
wsenter said:
IMPORTANT: Do not ignore this email.
This message is to inform you that the account bob has user id 0 (root privs). This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.
Download and install rkhunter and chkrootkit. See what the results are and post it here. If you are hit by SHV4 and SHV5 rootkits, the best you can do is backup your data, format your HD and do an OS reload.
 

[Q3]

Member
Apr 8, 2003
14
0
151
Hi guys,

I have received the same problem last night. I have disable everything and change the password for my users but the email that I receive is about the user qmail.

IMPORTANT: Do not ignore this email.
This message is to inform you that the account qmails has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should
verify that your system has not been compromised.

My question is does QMAIL have an effect on cpanel? If so How I could found a work around.

Thanks,

Franco
 

[Q3]

Member
Apr 8, 2003
14
0
151
After I did the check,

It returns me this:
Searching for anomalies in shell history files... Warning: `//root/.bash_history' file size is zero
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)

Do you have a solution on how fix this?

Thanks,

Franco
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
That looks very suspicious indeed. A user account won't be created with a UID of 0 unless you explicitly do it. The fact one was created and that root's .bash_history file has been zeroed strongly points to your server having been root compromised.

If you are unsure of how to confirm that, then ask your datacenter for help or seek out a competent server administrator who can do that for you. Meanwhile, make sure you have a cPanel backup of all your user data as you will need to have the OS reinstalled and then restore those backups and have your server better secured.
 

ramprage

Well-Known Member
Jul 21, 2002
655
0
166
Canada
I agree with Chirpy on this, ensure your clients backup is safely stored somewhere else asap. You'll need someone with a lot of knowledge to investigate your box but it does soon like you've been rooted. In such as case, you should always do an OS reload and properly secure the box then reload client data.