1) I started getting an email every minute with the following details:
Subject: Cron <[email protected]> chown root:root /tmp/l.txt && chmod 4755 /tmp/l.txt && rm -rf /etc/cron.d/core && kill -USR1 25640
Body Message: chown: cannot access `/tmp/l.txt': No such file or directory
I have found very little info on the web about this. Some posts say this is harmless an others say that I should do a full OS restore.
2) I then received one email with the following details:
Subject: [hackcheck] news has a uid 0 account
Body Message: IMPORTANT: Do not ignore this email.
This message is to inform you that the account news has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.
There is a user in the Manage Wheel Group Users section but does NOT have root access.
Question 1) How do I sort out this problem?
Question 2) I backed up and deleted a file called core.25641 in the cron.d folder. It seems this cron file was creating the recuring first emails, they have now stopped. Are there any implications? The server seems to be running fine.
Question 3) If a user named NEWS with uid 0 exists. How do I find the user and delete them?
Last Thought (Server Details):
WHM 10.8.0 cPanel 10.9.0-S35
Fedora i686 - WHM X v3.1.0
I should have all latest updates