[hackcheck] findutils failed checksum test

Daemon1

Well-Known Member
Nov 26, 2003
87
0
156
I keep getting this [hackcheck] findutils failed checksum test message over the past 2 days, and I cant work out why. The server is operating like normal, nothing was found using rootkit hunter.

Im /tmp and /var/tmp I see the following folders

.ICE-unix
.font-unix
.dt
pear
spamd-3092-init
spamd-3481-init
cpbandwidth
mysql.sock

The rest are just session files...

And /dev/shm is empty....

tmp has already been secured, the server is operating fine but I keep
getting sent "[hackcheck] findutils failed checksum test" daily and we dont
know why! Any help would be appreciated.

Code:
IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm
package findutils did not match the expected checksum.  This could mean that
your system was compromised (OwN3D). The offending files have been removed
and replaced with the OS default.  To be safe you should verify that your
system has not be compromised.

Modified Files:
S.5....T    /usr/bin/find
S.5....T    /usr/bin/xargs
S.5....T  d /usr/share/info/find.info.gz
S.5....T    /usr/share/locale/da/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/de/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/es/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/et/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/fr/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/gl/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/id/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/it/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/ko/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/nl/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/pl/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/pt_BR/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/ru/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/sv/LC_MESSAGES/findutils.mo
S.5....T  d /usr/share/man/man1/find.1.gz
S.5....T  d /usr/share/man/man1/xargs.1.gz
 

Astoria

Member
Jan 12, 2006
5
0
151
Same message for me -- [hackcheck] findutils failed checksum test

I got similar emails the past 2 mornings. Seems like an odd coincidence.

Where could I find what the checksum is supposed to be?
 

gvard

Well-Known Member
PartnerNOC
Dec 22, 2003
211
9
168
Athens/GREECE
cPanel Access Level
DataCenter Provider
Same here. Any idea what's going on? I also receive the following in /scripts/upcp email:

relink: /lib/tls/libc-2.3.6.so has a dependency cycle
prelink: /usr/bin/find: at least one of file's dependencies has changed since prelinking
prelink: /lib/tls/libc-2.3.6.so has a dependency cycle
prelink: /usr/bin/xargs: at least one of file's dependencies has changed since prelinking findutils fails checksum !!!
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,221
4
193
Minneapolis, MN
Daemon1 said:
IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm
package findutils did not match the expected checksum. This could mean that
your system was compromised (OwN3D). The offending files have been removed
and replaced with the OS default. To be safe you should verify that your
system has not be compromised.
Run chkrootkit and rkhunter and compare the results. Your server might be compromised. Make sure you have a good backup of your data, just in case.
 

Danny_T

Well-Known Member
Jul 19, 2005
181
0
166
Netherlands
I did had this too.

I downloaded the rpm files from the cpanel.net and installed them. No more hacked messages.
I guess the md5sum is not calculated well by the hackcheck process and cpanel had wrong checksums.
Too much users has it now so i bet its a cpanel problem.

Danny.

.
 

BenThomas

Well-Known Member
Feb 12, 2004
598
0
166
Houston, Texas USA
cPanel Access Level
Root Administrator
Danny_T said:
I guess the md5sum is not calculated well by the hackcheck process and cpanel had wrong checksums.
This has nothing to do with cPanel. The hackcheck script is alerting you of the output from "rpm -V rpmname". The values that rpm is using to compare against your files are stored in the rpm database located on your server. By reinstalling the rpms, you have reverted them back to their original state as provided by the rpm. Now that the files are not "different", then "rpm -V rpmname" has nothing to report. That's why you stopped receiving the message.

Have any of you receiving this report actually ran "rpm -V rpmname" on the rpm in question?

Have you investigated why and how the files provided by the rpm are different?

The whole purpose of hackcheck is to check the integrity of key rpms, and alert you when they've been modified. That's exactly what's going on here.