The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[hackcheck] fileutils failed checksum test

Discussion in 'General Discussion' started by H2Hosting.com, Feb 15, 2003.

  1. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Did you receive this? (I have such emails from 2 servers)
    ----------------------------

    IMPORTANT: Do not ignore this email.
    This message is to inform you that the rpm
    package fileutils did not match the expected checksum. This could mean that
    your system was compromised (OwN3D). The offending files have been removed
    and replaced with the OS default. To be safe you should verify that your
    system has not be compromised.

    Modified Files:
    .......T c /etc/DIR_COLORS
    .......T c /etc/profile.d/colorls.csh
    .......T c /etc/profile.d/colorls.sh
     
  2. tmellon

    tmellon Well-Known Member

    Joined:
    Aug 15, 2001
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Sarasota, FL
    I got that as well about 1/2 hour ago...
     
  3. s3kk3y

    s3kk3y Well-Known Member

    Joined:
    Oct 12, 2002
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    just got right now as well.

    Is this something to worry about?
     
  4. ecoutez

    ecoutez Well-Known Member

    Joined:
    May 23, 2002
    Messages:
    152
    Likes Received:
    0
    Trophy Points:
    0
    Same here

    But only on the RedHat 7.2 boxes. The 7.3 ones had no problem.

    It appears that upcp downloaded the latest version of fileutils tonight. No reason to think this is an intrusion.


    Downloading fileutils-4.1-10.1.i386.rpm
    Retrieving http://updates.cpanel.net/pub/rpmup/redhat/7.3/x86/updates/fileutils-4.1-10.1.i386.rpm
    Preparing... ##################################################
    fileutils ##################################################

    - Jason
     
  5. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Same here !

    same for me on my red hat 7.2 :-O !!!
    I forced to reinstall the fileutils rpm , and I rebuilded the rpm
    database , today I received again that advice .
    What's happening ?
    Look the modification on /sbin/nologin too ...
    (file Size , 5 MD5 sum and mTime differ.... )

    have we to be worried ?

    [b:04bfbf1282]
    ==================
    # rpm -V util-linux net-tools procps fileutils

    .......T c /etc/fdprm
    .......T c /etc/pam.d/chfn
    .......T c /etc/pam.d/chsh
    .......T c /etc/pam.d/login
    S.5....T /sbin/nologin
    .......T c /etc/DIR_COLORS
    .......T c /etc/profile.d/colorls.csh
    .......T c /etc/profile.d/colorls.sh
    ==================
    [/b:04bfbf1282]
     
  6. kt

    kt Active Member

    Joined:
    May 4, 2002
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    got the same here

    Only my system was hacked =o(
     
  7. ivaserver

    ivaserver Well-Known Member

    Joined:
    Aug 9, 2002
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    I got the same email

    how do tell if my system was hacked?

    Thanks
    Ivaserver
     
  8. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    One way to tell is a trojan horse.

    look in /usr/share/locale/sk/.sk

    use ls -la

    It is a trojan that causes the following

    Hidden Pid detected! [pid 1455]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/share/locale/sk/.sk/sk]

    It is a sniffer program trying to get info on the system.
     
  9. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    I have looked in /usr/share/locale/sk and there does not seem to be any .sk and I am getting the message.
     
  10. hisanuk

    hisanuk Member

    Joined:
    Mar 27, 2002
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Hi guys,
    I am also gettin the same Warning e-mail since 2 days now
    Would this be a C-panel WHM error ?????

    Sanuk
     
  11. ozzi4648

    ozzi4648 Guest

    Another night of receiving this msg. Will they not fix this? 3 or 4 nights and counting. Get it together Cpanel!!!!!!!!!!!!!!!!!!!!!!
     
  12. dpss

    dpss Member

    Joined:
    Jan 23, 2003
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    I am seeing this on all our 7.2 boxen but not our 8.0 ones.

    Looks like a minor CP bug at this time.
     
  13. ecoutez

    ecoutez Well-Known Member

    Joined:
    May 23, 2002
    Messages:
    152
    Likes Received:
    0
    Trophy Points:
    0
    This issue is resolved

    Nick took a look at one of my RedHat 7.2 boxes exhibiting this behavior and found the problem.

    Run /scripts/updatenow and it should be fixed.

    - Jason
     
  14. hisanuk

    hisanuk Member

    Joined:
    Mar 27, 2002
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    Please informme how to:
    Run /scripts/updatenow and it should be fixed.

    Or will the error also be fixed by the next-days C-panel update

    Thanks & Regards
    Sanuk
     
  15. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    SSH into you box, move into the scripts directory /scripts and ./updatenow
     
  16. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    [quote:04c75e8b75][i:04c75e8b75]Originally posted by dgbaker[/i:04c75e8b75]

    One way to tell is a trojan horse.

    look in /usr/share/locale/sk/.sk

    use ls -la

    It is a trojan that causes the following

    Hidden Pid detected! [pid 1455]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/share/locale/sk/.sk/sk]

    It is a sniffer program trying to get info on the system.

    [/quote:04c75e8b75]

    Thank you , I have it too and it was installed on 18 NOV (on your box 18 Nov too ?)
    But what to do to remove it (are you sure is it not required from cpanel) ?


    And ... I have still to understand why chkrootkit version 0.38 was NOT able to detect it :((( .
     
  17. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Hello

    sk stand for suckit and it's an hacker sniffer , I don't think it was installed by cpanel :-O !

    http://hysteria.sk/sd/f/suckit/sk-current/doc/CHANGES
    http://hysteria.sk/sd/f/suckit/readme

    What to do to remove it safety ?
     
  18. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    Copy the .sniffer file from .sk somewhere so you can examine what was sniffed.
    Remove all the files in the .sk directory including the hidden ones,
    chattr +i the .sk directory ( stops it from being reinstalled)
    Reboot system to kill hidden pid.

    Ps. Do this fairly fast, the sk trojan uses scp to get info off to another server.

    Also try to save the executable to examine where it is sending to.
     
  19. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    Well, tripwire didn't catch it either.
     
  20. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Thank you Dgbaker ;)

    What you think of this
    http://sourceforge.net/projects/stjude
    It seems the solution to avoid again this problem .
     

Share This Page