This message is to inform you that the account - has user id 0 (root privs).

spindoc

Registered
Feb 13, 2014
4
0
1
cPanel Access Level
Root Administrator
Recently I have received this message. I tried to follow the instructions of an old post by tandisweb but I ran into an issue.

(original post is below my question)

Here is my problem.

When I grep the passwd file I see this:

root:x:0:0:root:/root:/bin/bash
dgc:x:0:0::/home/dgc:/bin/bash

"dgc" should obviously not be there.

so when I edit the passwd file the user dgc does NOT show up.

Each night i get a ganteng.htm file showing up in all of my public_html files.

What am I do do? This user has root and I can't get rid of it.

PS, I did try to use delete user command, it completely cut me out of my server I had to go to Godaddy to have them put my root account back in again, shut down the websites and everything.

Original Post from which instructions I followed.

Default Re: [hackcheck] http has a uid 0 account

Hi Dears
We can fix this problem
--------------------------------------
[hackcheck] admin has a uid 0 account
IMPORTANT: Do not ignore this email.
This message is to inform you that the account admin has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should
verify that your system has not been compromised.
--------------------------------------

1-First step check which account has UID 0 in ssh command line
>> cat /etc/passwd | grep 0:0
in result you must seen same these line ...
root:x:0:0:root:/root:/bin/bash
admin:x:0:0:admin:/home/admin:/bin/bash <<<<<<<<<<<<<<<<<<<<<<i did this and I see two root users, "root" and "dgc"

any account more than root must be deleted to fix, in this server we have admin more than root, then we remove it

2-Go to this address >> /etc
3-nano -w passwd
4-Find >> admin:x:0:0:admin:/home/admin:/bin/bash , and remove that line <<<<<<<<<<<<<<<<<<<<user dgc doesn't show in this list.
care full fore remove account , and sure that which account must be remove
5-CTRL + X
6-for save file >> press Y
7-check fix this by >> cat passwd
8-restart apache
9- Finished . enjoy it
 

cPMarkF

*nix Technical Analyst
Staff member
Feb 4, 2013
18
8
78
cPanel Access Level
Root Administrator
Unfortunately, cPanel cannot assist you with security related issues, especially if you believe your server might be compromised. We do maintain a list of qualified system administrator service providers here: All Services
 

cPMarkF

*nix Technical Analyst
Staff member
Feb 4, 2013
18
8
78
cPanel Access Level
Root Administrator
I'm sorry, I didn't mean to be vague. To clarify, we cannot assist you with your specific situation as far as having a ghosted root account, which might be indicative of your server having been compromised. The security forum is for advice and assistance on keeping the server secure to prevent compromises. Thank you for your understanding.
 

spindoc

Registered
Feb 13, 2014
4
0
1
cPanel Access Level
Root Administrator
OK. So than assuming that I can get this user removed.

How do I prevent it from happening again?

It seems to me that being able to create a root priviledge user should be number one on the default security features, doesn't that make sense?

I have a Firewall, IP tables, Cpanel set to the maximum security possible, I monitor my websites daily, yet somehow someone was able to create a root user that I cannot remove.

And so far, Linux, Centos, Cpanel, Godaddy have all said the same thing. "We can't help you with security"
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

It's a good idea to reinstall the OS/cPanel if your server was rooted. While deleting the individual user that had root access might be sufficient, you can never truly know what other system modifications were made that could make your server vulnerable to additional attacks. The cPanel Security Advisor is a useful tool for reviewing the overall security of your system once you have the new server setup:

"WHM Home » Security Center » Security Advisor"

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Are you with a managed hosting provider?

These things (typically) happen one of two ways:

Either you or another admin accessed the infected server from another machine that is already infected and has a keylogger/trojan,

OR

Your kernel was out of date, and an infected website was able to gain root access.

Like Michael said, removing the user is not sufficient. Someone had/has root access; they could have erased logs, trojaned the SSH service, etc. The only real way to fix this is to check all your local machines for malware FIRST, then get a new server with a clean OS and migrate your sites and data to that server. Do not log into your new server from the infected one.

It's usually best if you don't know how to do these things yourself to pay for hosting at a managed hosting provider who can do this for you.