Root account was removed how to regain root username?

Logesh K

Member
Jun 25, 2015
11
0
1
Namakkal, TamilNadu, India
cPanel Access Level
Root Administrator
One of my VPS at DigitalOcean was compromised about 5 days ago. Today only I came to know about it.

The person logged into the server using some script via a cPanel user account and removed the root login, then added his own super user name

I wrote to DigitalOcean support, they put my Droplet in Recovery Mode and asked to reset the root password, but it isn't working.

Below were the CSF Firewall alerts received in my mail box

Code:
Time:    Sun Jan 21 04:56:33 2018 -0500
PID:     26884 (Parent PID:26878)
Account: someusr
Uptime:  142 seconds


Executable:

/home/someusr/public_html/administrator/pictures/js/f


Command Line (often faked in exploits):

./f


Network connections by the process (if any):

tcp: 192.241.220.105:53767 -> 116.193.xx.xxx:443
tcp: 192.241.220.105:53767 -> 116.193.xx.xxx:443
tcp: 192.241.220.105:53767 -> 116.193.xx.xxx:443


Files open by the process (if any):

/etc/passwd


Memory maps by the process (if any):

00400000-00402000 r-xp 00000000 fc:01 2883949                            /home/someusr/public_html/administrator/pictures/js/f
00601000-00602000 rw-p 00001000 fc:01 2883949                            /home/someusr/public_html/administrator/pictures/js/f
0245a000-0247b000 rw-p 00000000 00:00 0                                  [heap]
7f9cd7b5c000-7f9cd7b5d000 ---p 00000000 00:00 0
7f9cd7b5d000-7f9cd855d000 rw-p 00000000 00:00 0
Code:
Time: Sun Jan 21 04:54:32 2018 -0500

Reported Modifications:

New account [bdgy] has been created with uid:[0] gid:[0] login:[/root] shell:[/bin/bash]
Existing account [root] has been removed. Old settings uid:[0] gid:[0] login:[/root] shell:[/bin/bash]
Existing account [bin] has been removed. Old settings uid:[1] gid:[1] login:[/bin] shell:[/sbin/nologin]
Existing account [daemon] has been removed. Old settings uid:[2] gid:[2] login:[/sbin] shell:[/sbin/nologin]
Code:
Time:     Sun Jan 21 04:55:32 2018 -0500

Possible root compromise: User account bdgy is a superuser (UID 0)
Kindly help me on How I can regain the root access to the server.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363