The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Got hacked? I have no idea what is going on :/

Discussion in 'General Discussion' started by student, Apr 4, 2007.

  1. student

    student Active Member

    Joined:
    Aug 9, 2006
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    My system's core files has been changed, here is short log form integrity checker:

    Code:
    [Wed Apr 4 04:02:41 CEST 2007] Error MD5 checksum for /usr/sbin/exim current is: afd56f3dbc70482c61e38bb148f5384d
    [Wed Apr 4 04:07:41 CEST 2007] Error MD5 checksum for /usr/sbin/pure-ftpd current is: 5ff3f34843836c6f6789d5e3b62ffa54
    [Wed Apr 4 04:12:41 CEST 2007] Error MD5 checksum for /usr/bin/postmaster current is: b82e18658a5819fb80d260b388028921
    [Wed Apr 4 04:17:41 CEST 2007] Error MD5 checksum for /usr/lib/courier-imap/libexec/couriertcpd current is: 8ce348182e8f0ad2d06b8c3cbdbd84ac
    As you can see between 04:02 and 04:17 my core files:
    /usr/sbin/exim
    /usr/sbin/pure-ftpd
    /usr/bin/postmaster
    /usr/lib/courier-imap/libexec/couriertcpd

    has reported checksum errors. It's not the first time I see this, once I've forced reinstallation of corrupted packages to get the original binaries.
    Now, when the problem repeats I need to ask you for help, please if anyone has experienced such strange binaries corruption or know what is going on, please, let me know.

    I was trying to figure out what could be the reason of this, unfortunately, without success. My crontab has no task defined to work at 04.02.

    What is the most strange, my /usr/sbin/, /usr/bin/ and /usr/lib/courier-imap/libexec/ directories (where changed files are located) has set immune flag by chattr, so without turning this immune off, it's no possible to change any file in the directories ... whats more, I have hidden chattr binary so that attacker can't easly find this command.

    Please, if anyone can help me with this issue ... appreciate any help.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    /etc/cron.daily/ runs at 04:00, so check the jobs within that directory. I'd suspect that you have an OS update procedure that is installing the incorrect versions of those files and then the nightly /scripts/upcp run is putting them back to the cPanel supported ones. Sounds like a configuration issue rather than anything nefarious.
     
  3. student

    student Active Member

    Joined:
    Aug 9, 2006
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Chirpy, thanks for your respond

    but take a look at my crontab:
    Code:
    13 23 * * * /scripts/upcp
    0 1 * * * /scripts/cpbackup
    */15 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
    2,58 * * * * /usr/local/bandmin/bandmin
    0 0 * * * /usr/local/bandmin/ipaddrmap
    17 3 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify
    29 16 * * * cd /usr/local/cpanel/whostmgr/docroot/cgi/fantastico/scripts/ ; /usr/local/cpanel/3rdparty/bin/php cron.php > /dev/null 2>&1
    13 5 * * * /srv/sn_update
    0 6 * * * /scripts/exim_tidydb > /dev/null 2>&1
    */5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1
    and this is my /etc/cron.daily/
    Code:
    root@sv3 [/etc/cron.daily]# ls -l
    total 92
    drwxr-xr-x   2 root root  4096 Jan 25 17:17 ./
    drwxr-xr-x  85 root root 12288 Apr  4 17:40 ../
    lrwxrwxrwx   1 root root    28 Oct 24 14:49 00-logwatch -> ../log.d/scripts/logwatch.pl*
    -rwxr-xr-x   1 root root   418 Apr 26  2006 00-makewhatis.cron*
    -rwxr-xr-x   1 root root   276 Feb 21  2005 0anacron*
    -rwxr-xr-x   1 root root   219 Jan  5 01:36 logrotate*
    -rwxr-xr-x   1 root root  2133 Dec  1  2004 prelink*
    -rwxr-xr-x   1 root root   104 Aug 13  2006 rpm*
    -rwxr-xr-x   1 root root   121 Aug 22  2005 slocate.cron*
    -rwxr-xr-x   1 root root   286 Feb 21  2005 tmpwatch*
    -rwxr-xr-x   1 root root   158 Aug 12  2006 yum.cron*
    only yum.cron can do such things as updates, it contains:
    Code:
    #!/bin/sh
    if [ -f /var/lock/subsys/yum ]; then
            /usr/bin/yum -R 120 -e 0 -d 0 -y update yum
            /usr/bin/yum -R 10 -e 0 -d 0 -y shell /etc/yum/yum-daily.yum
    fi

    but my /etc/yum.conf clearly says:
    Code:
    [main]
    cachedir=/var/cache/yum
    debuglevel=2
    logfile=/var/log/yum.log
    pkgpolicy=newest
    distroverpkg=centos-release
    tolerant=1
    exactarch=1
    retries=20
    obsoletes=1
    gpgcheck=1
    
    # PUT YOUR REPOS HERE OR IN separate files named file.repo
    # in /etc/yum.repos.d
    exclude=apache* courier* exim* httpd* kernel kernel-smp kernel-hugemem mod_ssl* mysql* perl* php* proftpd* pure-ftpd* spamassassin* squirrelmail*
    assumeyes=1
    failovermethod=priority
    
    so by "exclude=apache* courier* exim* httpd* kernel kernel-smp kernel-hugemem mod_ssl* mysql* perl* php* proftpd* pure-ftpd* spamassassin* squirrelmail*"

    no exim or pure-ftpd should be updated, but it is ... and what about immune flag?
    can it be still configuration issue? I'm using CentOS 4.4
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It seems clear that it is /etc/cron.daily/yum.cron that's causing the problem. I would suggest removing it. It's not needed as upcp will run yum as needed when it runs during the night which should resolve your issue.
     
  5. student

    student Active Member

    Joined:
    Aug 9, 2006
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Chirpy, I've removed /etc/cron.daily/yum.cron as you suggested. I hope that this will finally resolve the issue.

    Great thanks for your help :)
     
  6. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    Does anyone know which integrity checker he is using there?
     
  7. PeterTable

    PeterTable Member

    Joined:
    Feb 27, 2004
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    It must be CSF firewall, check for the link on chirpy's signature.
     
Loading...

Share This Page