[hackcheck] http has a uid 0 account

[everynameistake]

The hackcheck script identified a user called http with root privilege. I did not create this account. So far I've disabled the account. How do I determine how the account was created and what is was used for before being disabled? Does anyone have any suggestions on what to do next?

Thank

 

[cPanelTristan]

It would have been better not to disable the account and check for any processes it was running by using "ps aux | grep http" and "lsof -p PID#" but now it's been disabled and that information won't be available. At this point, it's going to be far more difficult to track it down if someone else created it.

Did you remove the user entirely or just disable the user? Because if the user exists, you could check for files and folders owned by that user:

find / -user http

Again, if you've removed the user, that won't be available either.

At that point, you can only check /root/.bash_history for possible indications of that user being added.

 

[JeffP.]

You should also check your syslogs for possible log activity of the user being added. For example, /var/log/secure may contain this information, which could be helpful to know the time of when the account was created. You can the use that information to look for signs of other suspicious activity that might've taken place around that same time.

 

[everynameistake]

Just let me know when it gets moved and where to find it. Thanks

 

[cPanelTristan]

Thanks, I've moved the posts concerning the questions on the server hanging to this location:

http://forums.cpanel.net/f5/advice-server-hanging-225022.html

 

[tandisweb]

Hi Dears
We can fix this problem
--------------------------------------
[hackcheck] admin has a uid 0 account
IMPORTANT: Do not ignore this email.
This message is to inform you that the account admin has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should
verify that your system has not been compromised.
--------------------------------------

1-First step check which account has UID 0 in ssh command line
>> cat /etc/passwd | grep 0:0
in result you must seen same these line ...
root:x:0:0:root:/root:/bin/bash
admin:x:0:0:admin:/home/admin:/bin/bash

any account more than root must be deleted to fix, in this server we have admin more than root, then we remove it

2-Go to this address >> /etc
3-nano -w passwd
4-Find >> admin:x:0:0:admin:/home/admin:/bin/bash , and remove that line
care full fore remove account , and sure that which account must be remove
5-CTRL + X
6-for save file >> press Y
7-check fix this by >> cat passwd
8-restart apache
9- Finished . enjoy it

 

[JeffP.]

You should use "userdel" to remove users. If editing /etc/passwd manually is ever necessary, you should use "vipw", as it will safely handle any issues if changes are made to the file while you are editing it. nano will not.

 

[brianoz]

find / -user http

That find command will list all files owned by root, not http - unix filesystems record file ownership numerically, so any http-owned files are owned by uid 0 and therefore are root-owned files.

So, unfortunately, that command of itself is useless. If there was a line like that in your password file, your system has been totally compromised (aka "rooted") and it's best to rebuild to be sure.

Prior to rebuilding, you might want to check for cron or at jobs owned by "http", not sure whether cron uses username or uid.

 

[crazyaboutlinux]

Yes, absolutely correct
Do not use vi or other text editor to edit password file.
The best way to edit /etc/passwd, or shadow or group file is to use vipw and vigr command which will edit the files /etc/passwd and /etc/group respectively.

 

[cPanelTristan]

Actually, the best way to edit the files if you are removing is to use userdel and groupdel commands.The best way to make changes is via usermod and groupmod. vipw and vigr aren't the best way to make such revisions and should be used as a last resort if you cannot (for some unknown reason) get userdel, groupdel, usermod and groupmod to work.