The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

This message is to inform you that the account - has user id 0 (root privs).

Discussion in 'Security' started by spindoc, Feb 13, 2014.

  1. spindoc

    spindoc Registered

    Joined:
    Feb 13, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Recently I have received this message. I tried to follow the instructions of an old post by tandisweb but I ran into an issue.

    (original post is below my question)

    Here is my problem.

    When I grep the passwd file I see this:

    root:x:0:0:root:/root:/bin/bash
    dgc:x:0:0::/home/dgc:/bin/bash

    "dgc" should obviously not be there.

    so when I edit the passwd file the user dgc does NOT show up.

    Each night i get a ganteng.htm file showing up in all of my public_html files.

    What am I do do? This user has root and I can't get rid of it.

    PS, I did try to use delete user command, it completely cut me out of my server I had to go to Godaddy to have them put my root account back in again, shut down the websites and everything.

    Original Post from which instructions I followed.

    Default Re: [hackcheck] http has a uid 0 account

    Hi Dears
    We can fix this problem
    --------------------------------------
    [hackcheck] admin has a uid 0 account
    IMPORTANT: Do not ignore this email.
    This message is to inform you that the account admin has user id 0 (root privs).
    This could mean that your system was compromised (OwN3D). To be safe you should
    verify that your system has not been compromised.
    --------------------------------------

    1-First step check which account has UID 0 in ssh command line
    >> cat /etc/passwd | grep 0:0
    in result you must seen same these line ...
    root:x:0:0:root:/root:/bin/bash
    admin:x:0:0:admin:/home/admin:/bin/bash <<<<<<<<<<<<<<<<<<<<<<i did this and I see two root users, "root" and "dgc"

    any account more than root must be deleted to fix, in this server we have admin more than root, then we remove it

    2-Go to this address >> /etc
    3-nano -w passwd
    4-Find >> admin:x:0:0:admin:/home/admin:/bin/bash , and remove that line <<<<<<<<<<<<<<<<<<<<user dgc doesn't show in this list.
    care full fore remove account , and sure that which account must be remove
    5-CTRL + X
    6-for save file >> press Y
    7-check fix this by >> cat passwd
    8-restart apache
    9- Finished . enjoy it
     
  2. cPMarkF

    cPMarkF *nix Technical Analyst
    Staff Member

    Joined:
    Feb 4, 2013
    Messages:
    11
    Likes Received:
    3
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Unfortunately, cPanel cannot assist you with security related issues, especially if you believe your server might be compromised. We do maintain a list of qualified system administrator service providers here: All Services
     
  3. spindoc

    spindoc Registered

    Joined:
    Feb 13, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    They why have a forum called "security"? There are all kinds of other threads asking about these things, why can't I?
     
  4. cPMarkF

    cPMarkF *nix Technical Analyst
    Staff Member

    Joined:
    Feb 4, 2013
    Messages:
    11
    Likes Received:
    3
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    I'm sorry, I didn't mean to be vague. To clarify, we cannot assist you with your specific situation as far as having a ghosted root account, which might be indicative of your server having been compromised. The security forum is for advice and assistance on keeping the server secure to prevent compromises. Thank you for your understanding.
     
  5. spindoc

    spindoc Registered

    Joined:
    Feb 13, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    OK. So than assuming that I can get this user removed.

    How do I prevent it from happening again?

    It seems to me that being able to create a root priviledge user should be number one on the default security features, doesn't that make sense?

    I have a Firewall, IP tables, Cpanel set to the maximum security possible, I monitor my websites daily, yet somehow someone was able to create a root user that I cannot remove.

    And so far, Linux, Centos, Cpanel, Godaddy have all said the same thing. "We can't help you with security"
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's a good idea to reinstall the OS/cPanel if your server was rooted. While deleting the individual user that had root access might be sufficient, you can never truly know what other system modifications were made that could make your server vulnerable to additional attacks. The cPanel Security Advisor is a useful tool for reviewing the overall security of your system once you have the new server setup:

    "WHM Home » Security Center » Security Advisor"

    Thank you.
     
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Are you with a managed hosting provider?

    These things (typically) happen one of two ways:

    Either you or another admin accessed the infected server from another machine that is already infected and has a keylogger/trojan,

    OR

    Your kernel was out of date, and an infected website was able to gain root access.

    Like Michael said, removing the user is not sufficient. Someone had/has root access; they could have erased logs, trojaned the SSH service, etc. The only real way to fix this is to check all your local machines for malware FIRST, then get a new server with a clean OS and migrate your sites and data to that server. Do not log into your new server from the infected one.

    It's usually best if you don't know how to do these things yourself to pay for hosting at a managed hosting provider who can do this for you.
     
Loading...

Share This Page