The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hackcheck(OwN3D???) & BAD in upcp.

Discussion in 'General Discussion' started by tmt, Dec 5, 2004.

  1. tmt

    tmt Registered

    Joined:
    Oct 14, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I received the following mails from installing whm/cpanel.

    -----------------
    Subject: [hackcheck] miniroot has a uid 0 account
    IMPORTANT: Do not ignore this email.This message is to inform you that the account miniroot has user id 0 (root privs).
    This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not be compromised.
    -----------------
    &
    -----------------
    Subject: Cron /scripts/upcp
    PHP version file is up to dateCpanel updates are coming from layer2.cpanel.netLocking password for user miniroot.passwd: Successuid 0 account (miniroot) - BAD!
    send to CONTACTEMAIL (3) [3]
    ...
    -----------------
    Surely miniroot exists in a password file and uid is 0.
    There is no storage in which I useradd(ed) this miniroot.
    And, this mail is generated, whenever upcp runs after installing whm/cpanel.

    Is a miniroot user necessary in whm/cpanel?
    In order that if necessary fixs this error, what should I do?
    If not necessary, what can you consider as a cause which became like this?

    Please help me if you please.


    tmt. :(
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    There should not be any other accounts on your server with UID 0. So, if you did not create the account miniroot (and neither did your NOC/Datacentre if that is how you got your server) then you have most likely been hacked. If that is the case, you really need to find out how (or hire someone to do so for you) then secure your cPanel backups and have the server reformatted and the OS re-installed, then restore your cPanel accounts. Lastly, fix whatever route the hacker gained access to your server (if you don't know, then ensure you have an up to date OS with all the vendor patches installed and a good iptables firewall, e.g. APF, installed and correctly configured).
     
  3. tmt

    tmt Registered

    Joined:
    Oct 14, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Thank you for Chirpy and the reply.
    I will ask NOC.

    PS. I want to have begun to get to know in more detail about APF.
     
  4. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Yes, your server has been compromised and you must act now to protect your server, otherwsie it will go down any time soon.
     
Loading...

Share This Page