[Security] MD5 and Size check

[Radio_Head]

I wrote a script to make MD5 checksums and Size checks
on my red hat packages .

I found some checksum problem on some package
(using rpm -V util-linux net-tools procps [package)

frontpage-5.0-0
SM5...GT /usr/local/frontpage/version5.0/apache-fp/_vti_bin/fpexe
S.5....T /usr/local/frontpage/version5.0/apache-fp/fpexe.c S.5....T /usr/local/frontpage/we80.cnf

and
gd-devel-1.8.4-4

S.5....T /usr/include/gd.h S.5....T /usr/include/gd_io.h S.5....T /usr/include/gdcache.h S.5....T /usr/include/gdfontg.h S.5....T /usr/include/gdfontl.h S.5....T /usr/include/gdfontmb.h S.5....T /usr/include/gdfonts.h S.5....T /usr/include/gdfontt.h S.5....T /usr/lib/libgd.a

and
gd-progs-1.8.4-4

S.5....T /usr/bin/gd2copypal S.5....T /usr/bin/gd2topng S.5....T /usr/bin/gdparttopng S.5....T /usr/bin/gdtopng S.5....T /usr/bin/pngtogd S.5....T /usr/bin/pngtogd2 S.5....T /usr/bin/webpng

and
imap-2001a-10
S.5....T /usr/sbin/imapd

and

pam-0.75-46.7.3
S.5....T c /etc/pam.d/system-auth

and

perl-5.6.1-34.99.6

S.5....T /usr/bin/a2p S.5....T /usr/bin/perl S.5....T /usr/bin/perl5.6.1 S.5....T /usr/bin/perlbug S.5....T /usr/lib/perl5/5.6.1/ExtUtils/MM_Unix.pm S.5....T /usr/lib/perl5/5.6.1/ExtUtils/MakeMaker.pm S.5....T /usr/lib/perl5/5.6.1/Getopt/Long.pm S.5....T /usr/lib/perl5/5.6.1/Test/Harness.pm S.5....T /usr/lib/perl5/5.6.1/newgetopt.pl


Is it a good idea to reinstall above package or they were
modified by WHM/Cpanel ?

[vishal]

Originally posted by Radio_Head
I wrote a script to make MD5 checksums and Size checks
on my red hat packages .

I found some checksum problem on some package
(using rpm -V util-linux net-tools procps [package)

frontpage-5.0-0
SM5...GT /usr/local/frontpage/version5.0/apache-fp/_vti_bin/fpexe
S.5....T /usr/local/frontpage/version5.0/apache-fp/fpexe.c S.5....T /usr/local/frontpage/we80.cnf

and
gd-devel-1.8.4-4

S.5....T /usr/include/gd.h S.5....T /usr/include/gd_io.h S.5....T /usr/include/gdcache.h S.5....T /usr/include/gdfontg.h S.5....T /usr/include/gdfontl.h S.5....T /usr/include/gdfontmb.h S.5....T /usr/include/gdfonts.h S.5....T /usr/include/gdfontt.h S.5....T /usr/lib/libgd.a

and
gd-progs-1.8.4-4

S.5....T /usr/bin/gd2copypal S.5....T /usr/bin/gd2topng S.5....T /usr/bin/gdparttopng S.5....T /usr/bin/gdtopng S.5....T /usr/bin/pngtogd S.5....T /usr/bin/pngtogd2 S.5....T /usr/bin/webpng

and
imap-2001a-10
S.5....T /usr/sbin/imapd

and

pam-0.75-46.7.3
S.5....T c /etc/pam.d/system-auth

and

perl-5.6.1-34.99.6

S.5....T /usr/bin/a2p S.5....T /usr/bin/perl S.5....T /usr/bin/perl5.6.1 S.5....T /usr/bin/perlbug S.5....T /usr/lib/perl5/5.6.1/ExtUtils/MM_Unix.pm S.5....T /usr/lib/perl5/5.6.1/ExtUtils/MakeMaker.pm S.5....T /usr/lib/perl5/5.6.1/Getopt/Long.pm S.5....T /usr/lib/perl5/5.6.1/Test/Harness.pm S.5....T /usr/lib/perl5/5.6.1/newgetopt.pl


Is it a good idea to reinstall above package or they were
modified by WHM/Cpanel ?

Did u run Chkrootkit !!!

Regards,

[jamesbond]

Radiohead, I saw in another thread you mentioned tripwire.
Why did you decide not to use tripwire and write your own scripts?

[Radio_Head]

Originally posted by jamesbond
Radiohead, I saw in another thread you mentioned tripwire.
Why did you decide not to use tripwire and write your own scripts?

Because to do the checksum above are enough
about 10 php rows (surely you can do that also with a small bash script) . I don't know what does exactly tripwire , I don't think it's only a checksum software . I think that tripwire when find something wrong deny the usage of some program and other things .

[Radio_Head]

Originally posted by vishal
Did u run Chkrootkit !!!
Regards,

Yes I run chkrootkit very often . However , I repeat you ,
those packages should be modified by cpanel ,
try to execute ( version packages are for a red hat 7.2 box)

rpm -V util-linux net-tools procps frontpage
rpm -V util-linux net-tools procps gd-devel
rpm -V util-linux net-tools procps gd-progs
rpm -V util-linux net-tools procps imap
rpm -V util-linux net-tools procps pam
rpm -V util-linux net-tools procps per

and tell me if you have some S.5 error .
Probably yes , and I think because these files are modified by cpanel .

[Radio_Head]

bump

[Radio_Head]

bump

[Radio_Head]

I received this reply from darkorb ..

Yes, cpanel does modify some rpm's so this is something you should not worry about...

[Radio_Head]

they told me also that it's not a good idea to force installation of rpm to remove the checksum error , because the file were modified by Cpanel .

The problem is that I have a list of rpm with checksum errors and I don't which are the rpm that are modified by cpanel and if I have some rpm modified for example from an hacker .

I think we should know exactly which are the rpm modified
by cpanel/whm and the new Cpanel/WHM checksum .

[Radio_Head]

I opened a ticket and darkorb provided me an ftp cpanel link
where for every linux distrubution are listed all the rpm modified my Cpanel/WHM . Good ! In this way I can exactly know which are the rpms which could have md5 size checksum errors and rpm which should NOT have md5 size checksum errors .

[howard]

yep i like the fact that they provide the src rpms as well so you can roll your own if your parnoid lol (or for ease of use)