Root account was removed how to regain root username?

[Logesh K]

One of my VPS at DigitalOcean was compromised about 5 days ago. Today only I came to know about it.

The person logged into the server using some script via a cPanel user account and removed the root login, then added his own super user name

I wrote to DigitalOcean support, they put my Droplet in Recovery Mode and asked to reset the root password, but it isn't working.

Below were the CSF Firewall alerts received in my mail box

Time:    Sun Jan 21 04:56:33 2018 -0500
PID:     26884 (Parent PID:26878)
Account: someusr
Uptime:  142 seconds


Executable:

/home/someusr/public_html/administrator/pictures/js/f


Command Line (often faked in exploits):

./f


Network connections by the process (if any):

tcp: 192.241.220.105:53767 -> 116.193.xx.xxx:443
tcp: 192.241.220.105:53767 -> 116.193.xx.xxx:443
tcp: 192.241.220.105:53767 -> 116.193.xx.xxx:443


Files open by the process (if any):

/etc/passwd


Memory maps by the process (if any):

00400000-00402000 r-xp 00000000 fc:01 2883949                            /home/someusr/public_html/administrator/pictures/js/f
00601000-00602000 rw-p 00001000 fc:01 2883949                            /home/someusr/public_html/administrator/pictures/js/f
0245a000-0247b000 rw-p 00000000 00:00 0                                  [heap]
7f9cd7b5c000-7f9cd7b5d000 ---p 00000000 00:00 0
7f9cd7b5d000-7f9cd855d000 rw-p 00000000 00:00 0

Time: Sun Jan 21 04:54:32 2018 -0500

Reported Modifications:

New account [bdgy] has been created with uid:[0] gid:[0] login:[/root] shell:[/bin/bash]
Existing account [root] has been removed. Old settings uid:[0] gid:[0] login:[/root] shell:[/bin/bash]
Existing account [bin] has been removed. Old settings uid:[1] gid:[1] login:[/bin] shell:[/sbin/nologin]
Existing account [daemon] has been removed. Old settings uid:[2] gid:[2] login:[/sbin] shell:[/sbin/nologin]

Time:     Sun Jan 21 04:55:32 2018 -0500

Possible root compromise: User account bdgy is a superuser (UID 0)

Kindly help me on How I can regain the root access to the server.

 

[cPanelMichael]

Hello,

Here's a third-party URL that should help you setup another user with root privileges:

Creating another user account having power of root

Once you have access, your next step should be to move your account backups to a remote server or remote storage location so you can reinstall the OS. Additionally, the following document is a good place to start upon learning your server was hacked:

Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation

Thank you.