Two root accounts, what to do?
Processes and files are actually owned by user ID numbers, not user names. rootk
and root
have the same UID, so everything owned by one is also owned by the other. Based on your description, it sounds like userdel
saw every root process (UID 0) as belonging rootk
user.
According to this man page, userdel
has an option -f
to force removal of the account even if it has active processes. And userdel
would probably just delete rootk
's passwd entry and home directory, without affecting the actual root account.
To be safer, I might be inclined to hand-edit the password file to remove the entry for rootk
, then hand-remove rootk
's home directory. You may have a command on your system named vipw
, which lets you safely edit /etc/passwd
in a text editor.
That indeed looks like a backdoor.
I'd consider the system compromised and nuke it from orbit, even if it is possible to remove the user you have no idea what interesting surprises were left on the machine (e.g. a keylogger to get users' passwords for various websites).