[hackcheck] fileutils failed checksum test

[H2Hosting.com]

Did you receive this? (I have such emails from 2 servers)
----------------------------

IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm
package fileutils did not match the expected checksum. This could mean that
your system was compromised (OwN3D). The offending files have been removed
and replaced with the OS default. To be safe you should verify that your
system has not be compromised.

Modified Files:
.......T c /etc/DIR_COLORS
.......T c /etc/profile.d/colorls.csh
.......T c /etc/profile.d/colorls.sh

 

[tmellon]

I got that as well about 1/2 hour ago...

 

[s3kk3y]

just got right now as well.

Is this something to worry about?

 

[ecoutez]

Same here

But only on the RedHat 7.2 boxes. The 7.3 ones had no problem.

It appears that upcp downloaded the latest version of fileutils tonight. No reason to think this is an intrusion.


Downloading fileutils-4.1-10.1.i386.rpm
Retrieving http://updates.cpanel.net/pub/rpmup/redhat/7.3/x86/updates/fileutils-4.1-10.1.i386.rpm
Preparing... ##################################################
fileutils ##################################################

- Jason

 

[Radio_Head]

Same here !

same for me on my red hat 7.2 :-O !!!
I forced to reinstall the fileutils rpm , and I rebuilded the rpm
database , today I received again that advice .
What's happening ?
Look the modification on /sbin/nologin too ...
(file Size , 5 MD5 sum and mTime differ.... )

have we to be worried ?

[b:04bfbf1282]
==================
# rpm -V util-linux net-tools procps fileutils

.......T c /etc/fdprm
.......T c /etc/pam.d/chfn
.......T c /etc/pam.d/chsh
.......T c /etc/pam.d/login
S.5....T /sbin/nologin
.......T c /etc/DIR_COLORS
.......T c /etc/profile.d/colorls.csh
.......T c /etc/profile.d/colorls.sh
==================
[/b:04bfbf1282]

 

[kt]

got the same here

Only my system was hacked =o(

 

[ivaserver]

I got the same email

how do tell if my system was hacked?

Thanks
Ivaserver

 

[dgbaker]

One way to tell is a trojan horse.

look in /usr/share/locale/sk/.sk

use ls -la

It is a trojan that causes the following

Hidden Pid detected! [pid 1455]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/share/locale/sk/.sk/sk]

It is a sniffer program trying to get info on the system.

 

[xsenses]

I have looked in /usr/share/locale/sk and there does not seem to be any .sk and I am getting the message.

 

[hisanuk]

Hi guys,
I am also gettin the same Warning e-mail since 2 days now
Would this be a C-panel WHM error ?????

Sanuk

 

[ozzi4648]

Another night of receiving this msg. Will they not fix this? 3 or 4 nights and counting. Get it together Cpanel!!!!!!!!!!!!!!!!!!!!!!

 

[dpss]

I am seeing this on all our 7.2 boxen but not our 8.0 ones.

Looks like a minor CP bug at this time.

 

[ecoutez]

This issue is resolved

Nick took a look at one of my RedHat 7.2 boxes exhibiting this behavior and found the problem.

Run /scripts/updatenow and it should be fixed.

- Jason

 

[hisanuk]

Hello,

Please informme how to:
Run /scripts/updatenow and it should be fixed.

Or will the error also be fixed by the next-days C-panel update

Thanks & Regards
Sanuk

 

[xsenses]

SSH into you box, move into the scripts directory /scripts and ./updatenow

 

[Radio_Head]

[quote:04c75e8b75][i:04c75e8b75]Originally posted by dgbaker[/i:04c75e8b75]

One way to tell is a trojan horse.

look in /usr/share/locale/sk/.sk

use ls -la

It is a trojan that causes the following

Hidden Pid detected! [pid 1455]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/share/locale/sk/.sk/sk]

It is a sniffer program trying to get info on the system.

[/quote:04c75e8b75]

Thank you , I have it too and it was installed on 18 NOV (on your box 18 Nov too ?)
But what to do to remove it (are you sure is it not required from cpanel) ?


And ... I have still to understand why chkrootkit version 0.38 was NOT able to detect it (( .

 

[Radio_Head]

Hello

sk stand for suckit and it's an hacker sniffer , I don't think it was installed by cpanel :-O !

http://hysteria.sk/sd/f/suckit/sk-current/doc/CHANGES
http://hysteria.sk/sd/f/suckit/readme

What to do to remove it safety ?

 

[dgbaker]

Copy the .sniffer file from .sk somewhere so you can examine what was sniffed.
Remove all the files in the .sk directory including the hidden ones,
chattr +i the .sk directory ( stops it from being reinstalled)
Reboot system to kill hidden pid.

Ps. Do this fairly fast, the sk trojan uses scp to get info off to another server.

Also try to save the executable to examine where it is sending to.

 

[dgbaker]

Well, tripwire didn't catch it either.

 

[Radio_Head]

Thank you Dgbaker

What you think of this
http://sourceforge.net/projects/stjude
It seems the solution to avoid again this problem .