hackcheck

[spindoc]

I know just enough to be dangerous, so I would appreciate some help with this matter.

I have a Godaddy Dedicated Server.
  Operating System:   CentOS 6 x64     Processor:   Intel Core i5 - 3.10 GHz     RAM:   16 GB     Total Disk Space:   2000 GB      RAID:   None      Disk Drive(s):   1000 GB (Drive #1)
1000 GB (Drive #2)       Bandwidth Quota:   15000 GB            Firewall:   ASA 5505   



I access via SSH, and WHM.

I'm getting the following message texted to me at 2:15am every night.

 IMPORTANT: Do not ignore this email.
This message is to inform you that the account dgc has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.
 
I've looked at the users and infact I do have a user "dgc" that has root access to my server. Godaddy told me to remove that user, but when I did it completely disabled my entire server locking my "root" user out, shutting off the websites, everything. Godaddy came back and reinstated my root user and I'm able to get back in, but they will not address this hackcheck email.

I'm left to fix this on my own and I don't know what to do.

There is an extra directory that I didn't create located at /home/indexphp which I KNOW is not a directory I created.

Advice?

[Darkvision]

Id say it depends, if its business related id say higher a security expert ASAP and have em come set you straight. It WILL be expensive. The problem here is probably "most" of the advice we could give you would be over your head, not to mention in a "rooted" case you need to do about 3 fucktons of searching and analysis. You need to locate the vulnerability they got in with in the first place, patch/fix it, look for backdoors in everything....its just a LOT of work. A lot of it that takes a good bit of knowledge to go with it. Their are SOME things you could run like VICE that MIGHT show if you got a rootkit running. But really if this impacts a business id say bring in the professionals, and if you really want to prevent/detect this stuff in the future on your own to start reading a LOT of books. If this is just some sites you have set up for "fun" id suggest starting over from the base up. (fresh install of everything), the issue being with this that you still wont know how they got in, and they can/will just re-exploit the hole if they want too. Again for this kind of thing you can try running a dork/sqli scanner on your pages see if they cant find the hole(s) and fix them yourself, but that will(at least to fix them) require knowledge on your part.


All of that being said, this is not an area of expertise for me, im sure others here will have other sage advice for yah, but i do want to iterate once more: if this is for a business, hire a professional. Even if you have the knowledge to fix all this on your own, its always a good thing to have an outsider look over your security to see if they cant find something you missed. One final thing:no program can find everything, and dork/sqli's are just the normal "easy" way in, they could have gotten in in a number of ways, just that its a place to start looking.

[Phage]

DarkVision said pretty much all of it.


BUT:


If the mail you received is EXACTLY the same you showed us it's fake. No official email form any serious host provider uses the word (OwN3D). If you're hosting a personal site and you don't deal with user credentials, credit card numbers etc. I would take a look at all the logs and see if you can locate anything there. After that I would take a look at the files on the server and the website itself. Look for shells or backdoors. If you're using a CMS for your website I would also check for new vulnerabilities for the version you're using. IF you on the other hand deal with sensitive personal information I would, as DarkVision said, get in contact with an expert. And leave everything as it is, meaning don't touch anything.


If you give us some more information about your website we might be able to give some more specific replies, but so far, we'll have to keep it all on a theoretical level.

[proxx]

I know just enough to be dangerous, so I would appreciate some help with this matter.

I have a Godaddy Dedicated Server.
  Operating System:   CentOS 6 x64     Processor:   Intel Core i5 - 3.10 GHz     RAM:   16 GB     Total Disk Space:   2000 GB      RAID:   None      Disk Drive(s):   1000 GB (Drive #1)
1000 GB (Drive #2)       Bandwidth Quota:   15000 GB            Firewall:   ASA 5505   



I access via SSH, and WHM.

I'm getting the following message texted to me at 2:15am every night.

 IMPORTANT: Do not ignore this email.
This message is to inform you that the account dgc has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.
 
I've looked at the users and infact I do have a user "dgc" that has root access to my server. Godaddy told me to remove that user, but when I did it completely disabled my entire server locking my "root" user out, shutting off the websites, everything. Godaddy came back and reinstated my root user and I'm able to get back in, but they will not address this hackcheck email.

I'm left to fix this on my own and I don't know what to do.

There is an extra directory that I didn't create located at /home/indexphp which I KNOW is not a directory I created.

Advice?

Diff all important files and folders against the latest backup
Do the same for the last modification date etc.

[Silent Infiltrator]

Pretty much what DarkVision said... What Kernel are you using? I know for a fact that that plays a very big part in root exploits.