cpanel e-mail I'm getting - please help

[yates]

Please tell me what I should do about this. I searched google and found nothing. It is sending this e-mail every day for the past few days:

IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm
package tcp_wrappers did not match the expected checksum. This could mean that
your system was compromised (OwN3D). The offending files have been removed
and replaced with the OS default. To be safe you should verify that your
system has not be compromised.

Modified Files:
........C /usr/lib/libwrap.so.0.7.6

There is a tcp_wrappers-7.6-39.i386.rpm on the root directory which I didn't put there.

When I do an uptime command it says there are 2 users even though I'm the only one telnetted in when I do a who command.

I'm fairly new to linux, please help. Thanks!

[yates]

Also please note that I'm the only one using the server and I don't have any high profile domains on the server, so it's not like I'm a tempting target for attack. Thanks.

[sumith]

Seems that you/somebody tried to upgrade the tcp_wrappers. If you are sure that you havent tried it, then scan the server to see if the server is compromised.

[yates]

I haven't tried to upgrad tcp_wrappers, and I am the only one with access to the server. Would cPanel try to upgrad it automatically?

Also, can you point me to a resource that will help me learn how to scan the server to see if it has been compromised?

All I knew to do was look for any files with new timestamps to see what files may have been changed/uploaded and I couldn't find any out of the ordinary.

Thank you for your reply.

-
Chris

[yates]

well, I've completely reinstalled tcp_wrappers and all rpms that depend on it using yum, and I'm still getting this e-mail.

Any help would be greatly appreciated.

[serversphere]

Install Rkhunter and Chkrootkit, run each and report the results. The fact that you say you were "telnetted in" is a red flag for me. I hope you mean logged in via secure shell. If not, you should start using SSH and close off Telnet right away.

I wouldn't be so worried about that wrapper update if it weren't for the 2nd user you see connected to the system and the fact that the file is in the root directory. I'm assuming you have Tripwire or some such installed and that is throwing the error email at you since tcp_wrapper was upgraded.

Post results for these:
netstat -na
nmap -sT -O 127.0.0.1

[chirpy]

Btw, this particular one looks to be a false-positive. If you reinstall the tcp_wrappers RPM the library is still modified.

[abcX]

I recently began receiving this email, as well. Other than this email, I have found no sign of a break-in. If this is indeed a false positive, is there a fix for the issue? Thanks.

[abcX]

Just to give you an idea of what's going on in logs:

tcp_wrappers fails checksum !!!
Notification => ???@???.com via EMAIL [level => 1]
Fetching http://updates.cpanel.net/pub/hackch....6-39.i386.rpm (0)....@69.90.250.35......connected......receiving...3%...7%...11%...15%...19%...23%...27%...31%...35%...39%...43%...47%...51%...55%...59%...63%...67%...71%...75%...79%...83%...87%...91%...95%...99%...100%......Done
Error fetching http://updates.cpanel.net/pub/hackch....6-39.i386.rpm at /scripts/cPScript/RpmUtils.pm line 81.

I'd appreciate any help you could offer. Thanks!

[trich]

Same exact problem here. What OS are you all running? From the looks of it, this may be some problem with Fedora.

Also, looked at /scripts/hackcheck and see that if the checksum fails it tries to download and upgrade (reinstall) the RPM from cPanel's mirror. As abcX pointed out, the download fails, so I did it manually:

Code:

# wget http://updates.cpanel.net/pub/hackcheck/fedora/4/tcp_wrappers-7.6-39.i386.rpm
# rpm -Uvh --replacepkgs --nodeps --force tcp_wrappers-7.6-39.i386.rpm

Still /scripts/hackcheck failed.

[rikgarner]

For me, Its pointing to a Fedora problem - I have a Fedora box which has just started doing the same thing.

Could you confirm which distro you'r running please Yates?

Rich

[abcX]

Yep. Fedora here, as well.

[rikgarner]

Might be time to bugzilla that RPM for Fedora....

[rafaelgp]

I'm getting a lot of bugs with Fedora... I'm thinking in change it for Debian or Slackware...

[rikgarner]

most of our boxes are running Centos 4.3 and we are having very few problems

Rich