[hackcheck] fileutils failed checksum test

H2Hosting.com

Well-Known Member
Sep 4, 2001
192
0
316
Did you receive this? (I have such emails from 2 servers)
----------------------------

IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm
package fileutils did not match the expected checksum. This could mean that
your system was compromised (OwN3D). The offending files have been removed
and replaced with the OS default. To be safe you should verify that your
system has not be compromised.

Modified Files:
.......T c /etc/DIR_COLORS
.......T c /etc/profile.d/colorls.csh
.......T c /etc/profile.d/colorls.sh
 

ecoutez

Well-Known Member
May 23, 2002
152
0
316
Same here

But only on the RedHat 7.2 boxes. The 7.3 ones had no problem.

It appears that upcp downloaded the latest version of fileutils tonight. No reason to think this is an intrusion.


Downloading fileutils-4.1-10.1.i386.rpm
Retrieving http://updates.cpanel.net/pub/rpmup/redhat/7.3/x86/updates/fileutils-4.1-10.1.i386.rpm
Preparing... ##################################################
fileutils ##################################################

- Jason
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
Same here !

same for me on my red hat 7.2 :-O !!!
I forced to reinstall the fileutils rpm , and I rebuilded the rpm
database , today I received again that advice .
What's happening ?
Look the modification on /sbin/nologin too ...
(file Size , 5 MD5 sum and mTime differ.... )

have we to be worried ?

[b:04bfbf1282]
==================
# rpm -V util-linux net-tools procps fileutils

.......T c /etc/fdprm
.......T c /etc/pam.d/chfn
.......T c /etc/pam.d/chsh
.......T c /etc/pam.d/login
S.5....T /sbin/nologin
.......T c /etc/DIR_COLORS
.......T c /etc/profile.d/colorls.csh
.......T c /etc/profile.d/colorls.sh
==================
[/b:04bfbf1282]
 

dgbaker

Well-Known Member
PartnerNOC
Sep 20, 2002
2,576
9
343
Toronto, Ontario Canada
cPanel Access Level
DataCenter Provider
One way to tell is a trojan horse.

look in /usr/share/locale/sk/.sk

use ls -la

It is a trojan that causes the following

Hidden Pid detected! [pid 1455]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/share/locale/sk/.sk/sk]

It is a sniffer program trying to get info on the system.
 

hisanuk

Member
Mar 27, 2002
10
0
301
Hi guys,
I am also gettin the same Warning e-mail since 2 days now
Would this be a C-panel WHM error ?????

Sanuk
 
O

ozzi4648

Guest
Another night of receiving this msg. Will they not fix this? 3 or 4 nights and counting. Get it together Cpanel!!!!!!!!!!!!!!!!!!!!!!
 

dpss

Member
Jan 23, 2003
5
0
151
I am seeing this on all our 7.2 boxen but not our 8.0 ones.

Looks like a minor CP bug at this time.
 

ecoutez

Well-Known Member
May 23, 2002
152
0
316
This issue is resolved

Nick took a look at one of my RedHat 7.2 boxes exhibiting this behavior and found the problem.

Run /scripts/updatenow and it should be fixed.

- Jason
 

hisanuk

Member
Mar 27, 2002
10
0
301
Hello,

Please informme how to:
Run /scripts/updatenow and it should be fixed.

Or will the error also be fixed by the next-days C-panel update

Thanks & Regards
Sanuk
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
[quote:04c75e8b75][i:04c75e8b75]Originally posted by dgbaker[/i:04c75e8b75]

One way to tell is a trojan horse.

look in /usr/share/locale/sk/.sk

use ls -la

It is a trojan that causes the following

Hidden Pid detected! [pid 1455]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/usr/share/locale/sk/.sk/sk]

It is a sniffer program trying to get info on the system.

[/quote:04c75e8b75]

Thank you , I have it too and it was installed on 18 NOV (on your box 18 Nov too ?)
But what to do to remove it (are you sure is it not required from cpanel) ?


And ... I have still to understand why chkrootkit version 0.38 was NOT able to detect it :((( .
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
Hello

sk stand for suckit and it's an hacker sniffer , I don't think it was installed by cpanel :-O !

http://hysteria.sk/sd/f/suckit/sk-current/doc/CHANGES
http://hysteria.sk/sd/f/suckit/readme

What to do to remove it safety ?
 

dgbaker

Well-Known Member
PartnerNOC
Sep 20, 2002
2,576
9
343
Toronto, Ontario Canada
cPanel Access Level
DataCenter Provider
Copy the .sniffer file from .sk somewhere so you can examine what was sniffed.
Remove all the files in the .sk directory including the hidden ones,
chattr +i the .sk directory ( stops it from being reinstalled)
Reboot system to kill hidden pid.

Ps. Do this fairly fast, the sk trojan uses scp to get info off to another server.

Also try to save the executable to examine where it is sending to.
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
Thank you Dgbaker ;)

What you think of this
http://sourceforge.net/projects/stjude
It seems the solution to avoid again this problem .