Recently I have received this message. I tried to follow the instructions of an old post by tandisweb but I ran into an issue.
(original post is below my question)
Here is my problem.
When I grep the passwd file I see this:
root:x:0:0:root:/root:/bin/bash
dgc:x:0:0::/home/dgc:/bin/bash
"dgc" should obviously not be there.
so when I edit the passwd file the user dgc does NOT show up.
Each night i get a ganteng.htm file showing up in all of my public_html files.
What am I do do? This user has root and I can't get rid of it.
PS, I did try to use delete user command, it completely cut me out of my server I had to go to Godaddy to have them put my root account back in again, shut down the websites and everything.
Original Post from which instructions I followed.
Default Re: [hackcheck] http has a uid 0 account
Hi Dears
We can fix this problem
--------------------------------------
[hackcheck] admin has a uid 0 account
IMPORTANT: Do not ignore this email.
This message is to inform you that the account admin has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should
verify that your system has not been compromised.
--------------------------------------
1-First step check which account has UID 0 in ssh command line
>> cat /etc/passwd | grep 0:0
in result you must seen same these line ...
root:x:0:0:root:/root:/bin/bash
admin:x:0:0:admin:/home/admin:/bin/bash <<<<<<<<<<<<<<<<<<<<<<i did this and I see two root users, "root" and "dgc"
any account more than root must be deleted to fix, in this server we have admin more than root, then we remove it
2-Go to this address >> /etc
3-nano -w passwd
4-Find >> admin:x:0:0:admin:/home/admin:/bin/bash , and remove that line <<<<<<<<<<<<<<<<<<<<user dgc doesn't show in this list.
care full fore remove account , and sure that which account must be remove
5-CTRL + X
6-for save file >> press Y
7-check fix this by >> cat passwd
8-restart apache
9- Finished . enjoy it
(original post is below my question)
Here is my problem.
When I grep the passwd file I see this:
root:x:0:0:root:/root:/bin/bash
dgc:x:0:0::/home/dgc:/bin/bash
"dgc" should obviously not be there.
so when I edit the passwd file the user dgc does NOT show up.
Each night i get a ganteng.htm file showing up in all of my public_html files.
What am I do do? This user has root and I can't get rid of it.
PS, I did try to use delete user command, it completely cut me out of my server I had to go to Godaddy to have them put my root account back in again, shut down the websites and everything.
Original Post from which instructions I followed.
Default Re: [hackcheck] http has a uid 0 account
Hi Dears
We can fix this problem
--------------------------------------
[hackcheck] admin has a uid 0 account
IMPORTANT: Do not ignore this email.
This message is to inform you that the account admin has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should
verify that your system has not been compromised.
--------------------------------------
1-First step check which account has UID 0 in ssh command line
>> cat /etc/passwd | grep 0:0
in result you must seen same these line ...
root:x:0:0:root:/root:/bin/bash
admin:x:0:0:admin:/home/admin:/bin/bash <<<<<<<<<<<<<<<<<<<<<<i did this and I see two root users, "root" and "dgc"
any account more than root must be deleted to fix, in this server we have admin more than root, then we remove it
2-Go to this address >> /etc
3-nano -w passwd
4-Find >> admin:x:0:0:admin:/home/admin:/bin/bash , and remove that line <<<<<<<<<<<<<<<<<<<<user dgc doesn't show in this list.
care full fore remove account , and sure that which account must be remove
5-CTRL + X
6-for save file >> press Y
7-check fix this by >> cat passwd
8-restart apache
9- Finished . enjoy it
