hackcheck immutable

[aramazan]

Hello,

Daily /scripts/upcp contains the messages below:

...
Fetching http://httpupdate.cpanel.net/cpanels.../hackcheck.bz2 (0)....@69.90.250.35......connected......receiving...100%......Done
Got file ./hackcheck ok (md5 matches)
mv: cannot move `/scripts/./hackcheck' to `/scripts/./hackcheck.unlink': Operation not permitted
mv: cannot move `/scripts/./hackcheck-cpanelsync' to `/scripts/./hackcheck': Operation not permitted
Done updating /scripts
...

I checked /scripts/hackcheck with lsattr and it is set immutable. Looked at the diff between the freshly downloaded one (hackcheck-cpanelsync) and the frozen one (hackcheck) and here is the diff output:

# diff hackcheck hackcheck-cpanelsync
88c88
< if ( $uid == 0 && $user ne "root" && $user ne "admin" ) {
---
> if ( $uid == 0 && $user ne "root" && $user ne "toor" ) {

Appears that someone hacked the hackcheck script, changed the check for "toor" to "admin" to cover himself, and then set the script immutable so daily updates won't revert his changes back.

Now the interesting part is, supposedly hacked script (hackcheck) contains correct user checks (admin is given root privileges so that our host operator can locally intervene upon our request), and supposedly fresh update (hackcheck-cpanelsync) has check for bogus user "toor".

Is there something that I'm missing here? (Definitely there is, but what...) Or do I have grounds to suspect that my server might be compromised?

Thanks a lot

[AndyReed]

mv: cannot move `/scripts/./hackcheck' to `/scripts/./hackcheck.unlink': Operation not permitted
mv: cannot move `/scripts/./hackcheck-cpanelsync' to `/scripts/./hackcheck': Operation not permitted

Is there something that I'm missing here? (Definitely there is, but what...) Or do I have grounds to suspect that my server might be compromised?

It is rather difficult to say whether your system has been compromised. Scan your OS with rkhunter and chkrootkit applications.

A rootkit may replace 'ps' with a version of the command that will not display information about particular processes, and may replace 'md5sum' with a version of the command that reports the expected --- though not accurate --- checksums for compromised system binaries. Other frequently-compromised binaries include ls, netstat, top; a relatively complete rootkit may include two dozen or more binaries, most of which are trojaned versions of standard system commands.

Hope this helps!

[chirpy]

No, that's perfectly normal and is simply an update to that script. You should not use the immutable flag on any of the files in /scripts otherwise you're risking the stability of cPanel and the OS on your server.

[aramazan]

Thank you ServerTune and chirpy. It's turned out that my dedicated hoster has set hackcheck immutable so that daily cpanel updates wouldn't revert their custom (and minuscule) change to this script.

BTW, while the change itself is minuscule with no security concerns, I wonder what happens if cpanel makes some rather substantial changes to system management that mandates upgrading hackcheck in sync with several other files. All the files involved would be upgraded except hackcheck. Could it render the system unusable, or worse, open some unnoticed security holes? I guess I'll periodically check the diff between the immutable hackcheck and the latest version.

Thanks and best regards