Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Root account was removed how to regain root username?

Discussion in 'Security' started by Logesh K, Jan 26, 2018.

  1. Logesh K

    Logesh K Registered

    Joined:
    Jun 25, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Namakkal, TamilNadu, INDIA
    cPanel Access Level:
    Root Administrator
    One of my VPS at DigitalOcean was compromised about 5 days ago. Today only I came to know about it.

    The person logged into the server using some script via a cPanel user account and removed the root login, then added his own super user name

    I wrote to DigitalOcean support, they put my Droplet in Recovery Mode and asked to reset the root password, but it isn't working.

    Below were the CSF Firewall alerts received in my mail box

    Code:
    Time:    Sun Jan 21 04:56:33 2018 -0500
    PID:     26884 (Parent PID:26878)
    Account: someusr
    Uptime:  142 seconds
    
    
    Executable:
    
    /home/someusr/public_html/administrator/pictures/js/f
    
    
    Command Line (often faked in exploits):
    
    ./f
    
    
    Network connections by the process (if any):
    
    tcp: 192.241.220.105:53767 -> 116.193.xx.xxx:443
    tcp: 192.241.220.105:53767 -> 116.193.xx.xxx:443
    tcp: 192.241.220.105:53767 -> 116.193.xx.xxx:443
    
    
    Files open by the process (if any):
    
    /etc/passwd
    
    
    Memory maps by the process (if any):
    
    00400000-00402000 r-xp 00000000 fc:01 2883949                            /home/someusr/public_html/administrator/pictures/js/f
    00601000-00602000 rw-p 00001000 fc:01 2883949                            /home/someusr/public_html/administrator/pictures/js/f
    0245a000-0247b000 rw-p 00000000 00:00 0                                  [heap]
    7f9cd7b5c000-7f9cd7b5d000 ---p 00000000 00:00 0
    7f9cd7b5d000-7f9cd855d000 rw-p 00000000 00:00 0
    Code:
    Time: Sun Jan 21 04:54:32 2018 -0500
    
    Reported Modifications:
    
    New account [bdgy] has been created with uid:[0] gid:[0] login:[/root] shell:[/bin/bash]
    Existing account [root] has been removed. Old settings uid:[0] gid:[0] login:[/root] shell:[/bin/bash]
    Existing account [bin] has been removed. Old settings uid:[1] gid:[1] login:[/bin] shell:[/sbin/nologin]
    Existing account [daemon] has been removed. Old settings uid:[2] gid:[2] login:[/sbin] shell:[/sbin/nologin]
    Code:
    Time:     Sun Jan 21 04:55:32 2018 -0500
    
    Possible root compromise: User account bdgy is a superuser (UID 0)
    Kindly help me on How I can regain the root access to the server.
     
    #1 Logesh K, Jan 26, 2018
    Last edited by a moderator: Jan 26, 2018
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,802
    Likes Received:
    1,895
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice