log has a uid 0 account - Possible hack detected.

Operating System & Version
CENTOS 7.9 kvm [vmi304273]
cPanel & WHM Version
v92.0.9

suatkocabas

Member
Feb 3, 2021
14
3
3
Bursa
cPanel Access Level
Reseller Owner
hi, I received the following alert message from cPanel:



IMPORTANT: Do not ignore this email.
This message is to inform you that the account “log” has user ID 0 (root privileges). This may indicate that your system is compromised. To be safe, you should verify that your system is not compromised.

Code:
# cat /etc/passwd | grep 0:0
Return Message

Code:
[[email protected] ~]# cat /etc/passwd | grep 0:0
root:x:0:0:root:/root:/bin/bash
log:x:0:0::/home/log:/bin/bash
Any suggestions? how can i delete it and where is the vulnerability
 

suatkocabas

Member
Feb 3, 2021
14
3
3
Bursa
cPanel Access Level
Reseller Owner
when i can try

Code:
[[email protected] ~]# cat /etc/passwd | grep 0:0
root:x:0:0:root:/root:/bin/bash
log:x:0:0::/home/log:/bin/bash
[[email protected] ~]# userdel -r log
userdel: user log is currently used by process 1
and delete it

Code:
[[email protected] ~]# userdel -f log
userdel: user log is currently used by process 1
[[email protected] ~]# sudo killall -u log
Cannot find user log
[[email protected] ~]# sudo killall  log
[[email protected] ~]# userdel -f log
userdel: user 'log' does not exist
[[email protected] ~]# userdel -r log
userdel: user 'log' does not exist
[[email protected] ~]# cat /etc/passwd | grep 0:0
root:x:0:0:root:/root:/bin/bash
[[email protected] ~]#

OK where is the vulnerability??????
 
Last edited:

suatkocabas

Member
Feb 3, 2021
14
3
3
Bursa
cPanel Access Level
Reseller Owner
what does ps aux|grep log show?

Code:
[[email protected] ~]# ps aux|grep log
root       628  0.0  0.0  24472  1696 ?        Ss   09:38   0:09 /usr/lib/systemd/systemd-logind
root       944  0.1  0.1 313412 42984 ?        Ssl  09:38   0:42 /usr/sbin/rsyslogd -n
dovenull  1110  0.0  0.0  46868  4544 ?        S    09:38   0:00 dovecot/pop3-login
dovenull  1111  0.0  0.0  49308  7200 ?        S    09:38   0:06 dovecot/imap-login
dovenull  1117  0.0  0.0  46864  4016 ?        S    09:38   0:00 dovecot/pop3-login
dovenull  1118  0.0  0.0  48764  6388 ?        S    09:38   0:03 dovecot/imap-login
root      1462  0.0  0.0  26300  2748 ?        SN   09:38   0:00 cpanellogd - sleeping for logs
root      2189  0.0  0.0  12800  1404 ?        S    09:39   0:08 /usr/local/cpanel/bin/splitlogs --dir=/etc/apache2/logs/domlogs --main=vmi304273.contaboserver.net --suffix=-bytes_log
root      2191  0.0  0.0  12832  1416 ?        S    09:39   0:08 /usr/local/cpanel/bin/splitlogs --dir=/etc/apache2/logs/domlogs --main=vmi304273.contaboserver.net --mainout=/etc/apache2/logs/access_log
root      7936  0.0  0.0  10292  1480 ?        S    15:12   0:01 dovecot/log
root     20848  0.0  0.0 112812   964 pts/0    S+   17:24   0:00 grep --color=auto log
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,754
315
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
That first column is the user. None of the lsited users are the user log, yet when you try to remove the user it claims the usr is held due to locked processes.

I would say that your server is likely severly compromised. I would advise you get a new server and migrate your data to this new server. A server with this level of compromise should not be trusted.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,496
1,009
313
cPanel Access Level
Root Administrator
I agree with @GOT - anytime there is a user created with PID 0 it would indicate someone with root access created the user. If you don't know who that was, and you haven't had any work done on the machine recently, the system has been compromised. Migrating your data to a new machine with a fresh installation of the OS and cPanel is the only way to guarantee the issue is resolved and the system is secure.