[hackcheck] http has a uid 0 account

Oct 16, 2010
12
0
51
The hackcheck script identified a user called http with root privilege. I did not create this account. So far I've disabled the account. How do I determine how the account was created and what is was used for before being disabled? Does anyone have any suggestions on what to do next?

Thank
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
It would have been better not to disable the account and check for any processes it was running by using "ps aux | grep http" and "lsof -p PID#" but now it's been disabled and that information won't be available. At this point, it's going to be far more difficult to track it down if someone else created it.

Did you remove the user entirely or just disable the user? Because if the user exists, you could check for files and folders owned by that user:

Code:
find / -user http
Again, if you've removed the user, that won't be available either.

At that point, you can only check /root/.bash_history for possible indications of that user being added.
 

JeffP.

Well-Known Member
Sep 28, 2010
164
15
68
You should also check your syslogs for possible log activity of the user being added. For example, /var/log/secure may contain this information, which could be helpful to know the time of when the account was created. You can the use that information to look for signs of other suspicious activity that might've taken place around that same time.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
348
somewhere over the rainbow
cPanel Access Level
Root Administrator

tandisweb

Registered
Jul 18, 2012
1
0
1
cPanel Access Level
Root Administrator
Hi Dears
We can fix this problem
--------------------------------------
[hackcheck] admin has a uid 0 account
IMPORTANT: Do not ignore this email.
This message is to inform you that the account admin has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should
verify that your system has not been compromised.
--------------------------------------

1-First step check which account has UID 0 in ssh command line
>> cat /etc/passwd | grep 0:0
in result you must seen same these line ...
root:x:0:0:root:/root:/bin/bash
admin:x:0:0:admin:/home/admin:/bin/bash

any account more than root must be deleted to fix, in this server we have admin more than root, then we remove it

2-Go to this address >> /etc
3-nano -w passwd
4-Find >> admin:x:0:0:admin:/home/admin:/bin/bash , and remove that line
care full fore remove account , and sure that which account must be remove
5-CTRL + X
6-for save file >> press Y
7-check fix this by >> cat passwd
8-restart apache
9- Finished . enjoy it
 
Last edited:

JeffP.

Well-Known Member
Sep 28, 2010
164
15
68
You should use "userdel" to remove users. If editing /etc/passwd manually is ever necessary, you should use "vipw", as it will safely handle any issues if changes are made to the file while you are editing it. nano will not.
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Code:
find / -user http
That find command will list all files owned by root, not http - unix filesystems record file ownership numerically, so any http-owned files are owned by uid 0 and therefore are root-owned files.

So, unfortunately, that command of itself is useless. If there was a line like that in your password file, your system has been totally compromised (aka "rooted") and it's best to rebuild to be sure.

Prior to rebuilding, you might want to check for cron or at jobs owned by "http", not sure whether cron uses username or uid.
 

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
Yes, absolutely correct
Do not use vi or other text editor to edit password file.
The best way to edit /etc/passwd, or shadow or group file is to use vipw and vigr command which will edit the files /etc/passwd and /etc/group respectively.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
Actually, the best way to edit the files if you are removing is to use userdel and groupdel commands.The best way to make changes is via usermod and groupmod. vipw and vigr aren't the best way to make such revisions and should be used as a last resort if you cannot (for some unknown reason) get userdel, groupdel, usermod and groupmod to work.