[hackcheck] fileutils failed checksum test

[H2Hosting.com]

Did you receive this? (I have such emails from 2 servers)
----------------------------

IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm
package fileutils did not match the expected checksum. This could mean that
your system was compromised (OwN3D). The offending files have been removed
and replaced with the OS default. To be safe you should verify that your
system has not be compromised.

Modified Files:
.......T c /etc/DIR_COLORS
.......T c /etc/profile.d/colorls.csh
.......T c /etc/profile.d/colorls.sh

[tmellon]

I got that as well about 1/2 hour ago...

[s3kk3y]

just got right now as well.

Is this something to worry about?

[ecoutez]

But only on the RedHat 7.2 boxes. The 7.3 ones had no problem.

It appears that upcp downloaded the latest version of fileutils tonight. No reason to think this is an intrusion.


Downloading fileutils-4.1-10.1.i386.rpm
Retrieving http://updates.cpanel.net/pub/rpmup/redhat/7.3/x86/updates/fileutils-4.1-10.1.i386.rpm
Preparing... ##################################################
fileutils ##################################################

- Jason

[Radio_Head]

same for me on my red hat 7.2 :-O !!!
I forced to reinstall the fileutils rpm , and I rebuilded the rpm
database , today I received again that advice .
What's happening ?
Look the modification on /sbin/nologin too ...
(file Size , 5 MD5 sum and mTime differ.... )

have we to be worried ?

[b:04bfbf1282]
==================
# rpm -V util-linux net-tools procps fileutils

.......T c /etc/fdprm
.......T c /etc/pam.d/chfn
.......T c /etc/pam.d/chsh
.......T c /etc/pam.d/login
S.5....T /sbin/nologin
.......T c /etc/DIR_COLORS
.......T c /etc/profile.d/colorls.csh
.......T c /etc/profile.d/colorls.sh
==================
[/b:04bfbf1282]

[kt]

Only my system was hacked =o(

[ivaserver]

I got the same email

how do tell if my system was hacked?

Thanks
Ivaserver

[dgbaker]

One way to tell is a trojan horse.

look in /usr/share/locale/sk/.sk

use ls -la

It is a trojan that causes the following

Hidden Pid detected! [pid 1455]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/share/locale/sk/.sk/sk]

It is a sniffer program trying to get info on the system.

[xsenses]

I have looked in /usr/share/locale/sk and there does not seem to be any .sk and I am getting the message.

[hisanuk]

Hi guys,
I am also gettin the same Warning e-mail since 2 days now
Would this be a C-panel WHM error ?????

Sanuk

[ozzi4648]

Another night of receiving this msg. Will they not fix this? 3 or 4 nights and counting. Get it together Cpanel!!!!!!!!!!!!!!!!!!!!!!

[dpss]

I am seeing this on all our 7.2 boxen but not our 8.0 ones.

Looks like a minor CP bug at this time.

[ecoutez]

Nick took a look at one of my RedHat 7.2 boxes exhibiting this behavior and found the problem.

Run /scripts/updatenow and it should be fixed.

- Jason

[hisanuk]

Hello,

Please informme how to:
Run /scripts/updatenow and it should be fixed.

Or will the error also be fixed by the next-days C-panel update

Thanks & Regards
Sanuk

[xsenses]

SSH into you box, move into the scripts directory /scripts and ./updatenow