The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[hackcheck] http has a uid 0 account

Discussion in 'Security' started by everynameistake, Aug 3, 2011.

  1. everynameistake

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    The hackcheck script identified a user called http with root privilege. I did not create this account. So far I've disabled the account. How do I determine how the account was created and what is was used for before being disabled? Does anyone have any suggestions on what to do next?

    Thank
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    It would have been better not to disable the account and check for any processes it was running by using "ps aux | grep http" and "lsof -p PID#" but now it's been disabled and that information won't be available. At this point, it's going to be far more difficult to track it down if someone else created it.

    Did you remove the user entirely or just disable the user? Because if the user exists, you could check for files and folders owned by that user:

    Code:
    find / -user http
    Again, if you've removed the user, that won't be available either.

    At that point, you can only check /root/.bash_history for possible indications of that user being added.
     
  3. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    9
    Trophy Points:
    18
    You should also check your syslogs for possible log activity of the user being added. For example, /var/log/secure may contain this information, which could be helpful to know the time of when the account was created. You can the use that information to look for signs of other suspicious activity that might've taken place around that same time.
     
  4. everynameistake

    Joined:
    Oct 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Just let me know when it gets moved and where to find it. Thanks
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
  6. tandisweb

    tandisweb Registered

    Joined:
    Jul 18, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi Dears
    We can fix this problem
    --------------------------------------
    [hackcheck] admin has a uid 0 account
    IMPORTANT: Do not ignore this email.
    This message is to inform you that the account admin has user id 0 (root privs).
    This could mean that your system was compromised (OwN3D). To be safe you should
    verify that your system has not been compromised.
    --------------------------------------

    1-First step check which account has UID 0 in ssh command line
    >> cat /etc/passwd | grep 0:0
    in result you must seen same these line ...
    root:x:0:0:root:/root:/bin/bash
    admin:x:0:0:admin:/home/admin:/bin/bash

    any account more than root must be deleted to fix, in this server we have admin more than root, then we remove it

    2-Go to this address >> /etc
    3-nano -w passwd
    4-Find >> admin:x:0:0:admin:/home/admin:/bin/bash , and remove that line
    care full fore remove account , and sure that which account must be remove
    5-CTRL + X
    6-for save file >> press Y
    7-check fix this by >> cat passwd
    8-restart apache
    9- Finished . enjoy it
     
    #6 tandisweb, Jul 18, 2012
    Last edited: Jul 18, 2012
  7. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    9
    Trophy Points:
    18
    You should use "userdel" to remove users. If editing /etc/passwd manually is ever necessary, you should use "vipw", as it will safely handle any issues if changes are made to the file while you are editing it. nano will not.
     
  8. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    That find command will list all files owned by root, not http - unix filesystems record file ownership numerically, so any http-owned files are owned by uid 0 and therefore are root-owned files.

    So, unfortunately, that command of itself is useless. If there was a line like that in your password file, your system has been totally compromised (aka "rooted") and it's best to rebuild to be sure.

    Prior to rebuilding, you might want to check for cron or at jobs owned by "http", not sure whether cron uses username or uid.
     
  9. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    Yes, absolutely correct
    Do not use vi or other text editor to edit password file.
    The best way to edit /etc/passwd, or shadow or group file is to use vipw and vigr command which will edit the files /etc/passwd and /etc/group respectively.
     
  10. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Actually, the best way to edit the files if you are removing is to use userdel and groupdel commands.The best way to make changes is via usermod and groupmod. vipw and vigr aren't the best way to make such revisions and should be used as a last resort if you cannot (for some unknown reason) get userdel, groupdel, usermod and groupmod to work.
     
Loading...

Share This Page