Superuser Account Issue

Bashed

Well-Known Member
Dec 18, 2013
146
4
68
cPanel Access Level
Root Administrator
Getting this on CSF security check:

Server Check
Check SUPERUSER accounts
You have accounts other than root set up with UID 0. This is a considerable security risk. You should use su, or best of all sudo for such access

How do I check what users have that permission and how do I correct that?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,491
1,008
313
cPanel Access Level
Root Administrator
Hey hey! Best way to check is to look through /etc/passwd. If it's long, you may want to do a search like this:

Code:
grep 0 /etc/passwd
You'll get lots of unrelated output with that search too, but if you have 1000 accounts it will at least make things easier. Any user with UID of just "0" is suspect.

If you find a root user that you didn't create it's best to consider the server as root compromised and you should get the accounts migrated to a clean system.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,491
1,008
313
cPanel Access Level
Root Administrator
That's definitely the issue as that's not something that gets created by cPanel.

Do you have a cPanel user with that name on the system, or does this user only exist in Linux? I would recommend checking the server's history as root to see if there is eveidence of when that user was created, but given the user's home directory of /root/syns, that isn't something that could have been done through WHM.

We do offer migration services for compromised systems if you'd like to submit a ticket to our team to have us help with that process.