Results 1 to 6 of 6
  1. #1
    Join Date
    Mar 2009
    Posts
    634

    [hackcheck] http has a uid 0 account

    Hey,

    I got this email recently just after doing a cpanel update (/script/upcp)

    IMPORTANT: Do not ignore this email.
    This message is to inform you that the account http has user id 0 (root privs).
    This could mean that your system was compromised (OwN3D). To be safe you should
    verify that your system has not been compromised.
    What should I do next? Was this because of the update, or should I reinstall the system?

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    It sounds like you were compromised. What you need to do next is determine how you were compromised.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    Mar 2009
    Posts
    634
    Lastlog showed the http account login as the same time as I did on the root account from the same ip. Odd.

    I've just removed it for now; and from what I can tell nothing horrible has happened yet

  4. #4
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    MMM...

    Root accounts just don't happen. It got there somewhere, if you didn't do it. Someone else did, and if you don't patch how they did it, they will just do it again.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  5. #5
    Join Date
    Mar 2009
    Posts
    634
    Quote Originally Posted by Steven View Post
    MMM...

    Root accounts just don't happen. It got there somewhere, if you didn't do it. Someone else did, and if you don't patch how they did it, they will just do it again.
    << removed by request >>

    I will get the DC to reinstall my OS then update and restore from backups. << removed by request >>

    Thanks,

    cedricd
    Last edited by writespeak; 07-11-2009 at 02:02 PM. Reason: Edited by request

  6. #6
    Join Date
    Jul 2009
    Location
    SLASH ROOT
    Posts
    26
    The root user or the super user has access to all resources on the server...I mean complete access to whatever it wants to.

    Now the root user runs under a UID equal to 0. This can be seen on the first line in the file /etc/passwd(not to be changed or edited unless you know what your doing).

    Now the "httpd" process...being the daemon running for Apache. You can check the UID for this user under the same file.

    The file would have a syntax like :
    username:password:uid:gid:user_info:home_directoryhell_type

    So you would be looking at the third field.

    ----------------------------
    Sr. Systems Engineer
    WHRSS
    We grow by helping you grow.

Similar Threads

  1. [hackcheck] squid has a uid 0 account
    By rrsnider in forum Hosting Security and Technology
    Replies: 8
    Last Post: 01-18-2006, 04:20 AM
  2. hackcheck
    By steeee in forum Hosting Security and Technology
    Replies: 1
    Last Post: 05-13-2005, 04:51 PM
  3. [hackcheck] mailq has a uid 0 account
    By andy18 in forum Hosting Security and Technology
    Replies: 3
    Last Post: 07-07-2003, 04:26 PM
  4. hackcheck
    By kevinpham in forum Hosting Security and Technology
    Replies: 8
    Last Post: 04-26-2003, 11:08 AM
  5. Account accessible via http://acount.com, but not via http://www.account.com
    By Tazzman in forum Hosting Security and Technology
    Replies: 2
    Last Post: 01-06-2003, 02:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •