The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpanel e-mail I'm getting - please help

Discussion in 'E-mail Discussions' started by yates, Aug 5, 2006.

  1. yates

    yates Member

    Joined:
    Nov 23, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Please tell me what I should do about this. I searched google and found nothing. It is sending this e-mail every day for the past few days:

    There is a tcp_wrappers-7.6-39.i386.rpm on the root directory which I didn't put there.

    When I do an uptime command it says there are 2 users even though I'm the only one telnetted in when I do a who command.

    I'm fairly new to linux, please help. Thanks!
     
  2. yates

    yates Member

    Joined:
    Nov 23, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Also please note that I'm the only one using the server and I don't have any high profile domains on the server, so it's not like I'm a tempting target for attack. Thanks.
     
  3. sumith

    sumith Well-Known Member

    Joined:
    May 9, 2005
    Messages:
    96
    Likes Received:
    2
    Trophy Points:
    8
    Seems that you/somebody tried to upgrade the tcp_wrappers. If you are sure that you havent tried it, then scan the server to see if the server is compromised.
     
  4. yates

    yates Member

    Joined:
    Nov 23, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    I haven't tried to upgrad tcp_wrappers, and I am the only one with access to the server. Would cPanel try to upgrad it automatically?

    Also, can you point me to a resource that will help me learn how to scan the server to see if it has been compromised?

    All I knew to do was look for any files with new timestamps to see what files may have been changed/uploaded and I couldn't find any out of the ordinary.

    Thank you for your reply.

    -
    Chris
     
  5. yates

    yates Member

    Joined:
    Nov 23, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    well, I've completely reinstalled tcp_wrappers and all rpms that depend on it using yum, and I'm still getting this e-mail.

    Any help would be greatly appreciated.
     
  6. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Install Rkhunter and Chkrootkit, run each and report the results. The fact that you say you were "telnetted in" is a red flag for me. I hope you mean logged in via secure shell. If not, you should start using SSH and close off Telnet right away.

    I wouldn't be so worried about that wrapper update if it weren't for the 2nd user you see connected to the system and the fact that the file is in the root directory. I'm assuming you have Tripwire or some such installed and that is throwing the error email at you since tcp_wrapper was upgraded.

    Post results for these:
    netstat -na
    nmap -sT -O 127.0.0.1
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Btw, this particular one looks to be a false-positive. If you reinstall the tcp_wrappers RPM the library is still modified.
     
  8. abcX

    abcX Member

    Joined:
    Jan 8, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    I recently began receiving this email, as well. Other than this email, I have found no sign of a break-in. If this is indeed a false positive, is there a fix for the issue? Thanks.
     
  9. abcX

    abcX Member

    Joined:
    Jan 8, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Just to give you an idea of what's going on in logs:

    tcp_wrappers fails checksum !!!
    Notification => ???@???.com via EMAIL [level => 1]
    Fetching http://updates.cpanel.net/pub/hackcheck/fedora/4/tcp_wrappers-7.6-39.i386.rpm (0)....@69.90.250.35......connected......receiving...3%...7%...11%...15%...19%...23%...27%...31%...35%...39%...43%...47%...51%...55%...59%...63%...67%...71%...75%...79%...83%...87%...91%...95%...99%...100%......Done
    Error fetching http://updates.cpanel.net/pub/hackcheck/fedora/4/tcp_wrappers-7.6-39.i386.rpm at /scripts/cPScript/RpmUtils.pm line 81.

    I'd appreciate any help you could offer. Thanks!
     
  10. trich

    trich Member

    Joined:
    Aug 8, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Same exact problem here. What OS are you all running? From the looks of it, this may be some problem with Fedora.

    Also, looked at /scripts/hackcheck and see that if the checksum fails it tries to download and upgrade (reinstall) the RPM from cPanel's mirror. As abcX pointed out, the download fails, so I did it manually:

    Code:
    # wget http://updates.cpanel.net/pub/hackcheck/fedora/4/tcp_wrappers-7.6-39.i386.rpm
    # rpm -Uvh --replacepkgs --nodeps --force tcp_wrappers-7.6-39.i386.rpm
    
    Still /scripts/hackcheck failed.
     
  11. rikgarner

    rikgarner Well-Known Member

    Joined:
    Mar 31, 2006
    Messages:
    75
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    /dev/null
    For me, Its pointing to a Fedora problem - I have a Fedora box which has just started doing the same thing.

    Could you confirm which distro you'r running please Yates?

    Rich
     
  12. abcX

    abcX Member

    Joined:
    Jan 8, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Yep. Fedora here, as well.
     
  13. rikgarner

    rikgarner Well-Known Member

    Joined:
    Mar 31, 2006
    Messages:
    75
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    /dev/null
    Might be time to bugzilla that RPM for Fedora....:rolleyes:
     
  14. rafaelgp

    rafaelgp Member

    Joined:
    Aug 7, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I'm getting a lot of bugs with Fedora... I'm thinking in change it for Debian or Slackware...
     
  15. rikgarner

    rikgarner Well-Known Member

    Joined:
    Mar 31, 2006
    Messages:
    75
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    /dev/null
    most of our boxes are running Centos 4.3 and we are having very few problems :)

    Rich
     
  16. chris74108

    chris74108 Well-Known Member

    Joined:
    Apr 30, 2004
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6

    Q.F.T.

    Thanks!
     
  17. yates

    yates Member

    Joined:
    Nov 23, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    Yes, I always use SSH/putty but I'm not sure if telnet is disabled, I'll disable it if it isn't.

    I'm using Fedora also.

    Seeing as how this seems to be an OS issue, I wont post the results of the Rkhunter, Chkrootkit, netstat, and nmap commands, but thank you for telling me about those. I'll research what information those commands give you and how they would be usefull in determining if the system is ever compromised in the future.

    For the problem at hand, is there a way to disable hackcheck from processing tcp_wrappers until that is fixed, or would that be a bad idea?
     
    #17 yates, Aug 8, 2006
    Last edited: Aug 8, 2006
  18. yates

    yates Member

    Joined:
    Nov 23, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Or better yet, it seems that the hackcheck simply does a checksum comparison. Since I re-installed the rpm and it's still sending the e-mail, the checksum that hackcheck is using must be invalid. Is there a way to edit a hackcheck config file and update the checksum to the correct value of the rpm?
     
  19. abcX

    abcX Member

    Joined:
    Jan 8, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Has anyone (or is anyone planning on) posting this problem on Bugzilla?
     
  20. trich

    trich Member

    Joined:
    Aug 8, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I have a ticket open with cPanel about the issue. I'll update the thread when they get back with me.
     
Loading...

Share This Page