False Account modification alert

Post Reply
Orlando
Junior Member
Posts: 7
Joined: 23 Feb 2018, 12:27

False Account modification alert

Post by Orlando »

Hello,

On one of our servers we received an email like:

Reported Modifications:

New account [root] has been created with uid:[0] gid:[0] login:[/root] shell:[/bin/bash]

But nothing was changed for the root user.

grep '0:0' /etc/passwd
root:x:0:0:root:/root:/bin/bash

chage -l root
Last password change : , 2019
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : -1
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

It is a CloudLinux release 7.7 server with cPanel.

What can be the issue, how can I test the lfd script which checks the account modification?
Post Reply