log has a uid 0 account - Possible hack detected.

[suatkocabas]

hi, I received the following alert message from cPanel:

IMPORTANT: Do not ignore this email. This message is to inform you that the account “log” has user ID 0 (root privileges). This may indicate that your system is compromised. To be safe, you should verify that your system is not compromised.

# cat /etc/passwd | grep 0:0

Return Message

[root@vmi304273 ~]# cat /etc/passwd | grep 0:0
root:x:0:0:root:/root:/bin/bash
log:x:0:0::/home/log:/bin/bash

Any suggestions? how can i delete it and where is the vulnerability

 

[suatkocabas]

when i can try

[root@vmi304273 ~]# cat /etc/passwd | grep 0:0
root:x:0:0:root:/root:/bin/bash
log:x:0:0::/home/log:/bin/bash
[root@vmi304273 ~]# userdel -r log
userdel: user log is currently used by process 1

and delete it

[root@vmi304273 ~]# userdel -f log
userdel: user log is currently used by process 1
[root@vmi304273 ~]# sudo killall -u log
Cannot find user log
[root@vmi304273 ~]# sudo killall  log
[root@vmi304273 ~]# userdel -f log
userdel: user 'log' does not exist
[root@vmi304273 ~]# userdel -r log
userdel: user 'log' does not exist
[root@vmi304273 ~]# cat /etc/passwd | grep 0:0
root:x:0:0:root:/root:/bin/bash
[root@vmi304273 ~]#

OK where is the vulnerability??????

 

[GOT]

what does ps aux|grep log show?

 

[suatkocabas]

what does ps aux|grep log show?

[root@vmi304273 ~]# ps aux|grep log
root       628  0.0  0.0  24472  1696 ?        Ss   09:38   0:09 /usr/lib/systemd/systemd-logind
root       944  0.1  0.1 313412 42984 ?        Ssl  09:38   0:42 /usr/sbin/rsyslogd -n
dovenull  1110  0.0  0.0  46868  4544 ?        S    09:38   0:00 dovecot/pop3-login
dovenull  1111  0.0  0.0  49308  7200 ?        S    09:38   0:06 dovecot/imap-login
dovenull  1117  0.0  0.0  46864  4016 ?        S    09:38   0:00 dovecot/pop3-login
dovenull  1118  0.0  0.0  48764  6388 ?        S    09:38   0:03 dovecot/imap-login
root      1462  0.0  0.0  26300  2748 ?        SN   09:38   0:00 cpanellogd - sleeping for logs
root      2189  0.0  0.0  12800  1404 ?        S    09:39   0:08 /usr/local/cpanel/bin/splitlogs --dir=/etc/apache2/logs/domlogs --main=vmi304273.contaboserver.net --suffix=-bytes_log
root      2191  0.0  0.0  12832  1416 ?        S    09:39   0:08 /usr/local/cpanel/bin/splitlogs --dir=/etc/apache2/logs/domlogs --main=vmi304273.contaboserver.net --mainout=/etc/apache2/logs/access_log
root      7936  0.0  0.0  10292  1480 ?        S    15:12   0:01 dovecot/log
root     20848  0.0  0.0 112812   964 pts/0    S+   17:24   0:00 grep --color=auto log

 

[GOT]

That first column is the user. None of the lsited users are the user log, yet when you try to remove the user it claims the usr is held due to locked processes.

I would say that your server is likely severly compromised. I would advise you get a new server and migrate your data to this new server. A server with this level of compromise should not be trusted.

 

[cPRex]

I agree with @GOT - anytime there is a user created with PID 0 it would indicate someone with root access created the user. If you don't know who that was, and you haven't had any work done on the machine recently, the system has been compromised. Migrating your data to a new machine with a fresh installation of the OS and cPanel is the only way to guarantee the issue is resolved and the system is secure.

 

[suatkocabas]

thanks for your answers. @GOT @cPRex