[hackcheck] findutils failed checksum test

[Daemon1]

I keep getting this [hackcheck] findutils failed checksum test message over the past 2 days, and I cant work out why. The server is operating like normal, nothing was found using rootkit hunter.

Im /tmp and /var/tmp I see the following folders

.ICE-unix
.font-unix
.dt
pear
spamd-3092-init
spamd-3481-init
cpbandwidth
mysql.sock

The rest are just session files...

And /dev/shm is empty....

tmp has already been secured, the server is operating fine but I keep
getting sent "[hackcheck] findutils failed checksum test" daily and we dont
know why! Any help would be appreciated.

IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm
package findutils did not match the expected checksum.  This could mean that
your system was compromised (OwN3D). The offending files have been removed
and replaced with the OS default.  To be safe you should verify that your
system has not be compromised.

Modified Files:
S.5....T    /usr/bin/find
S.5....T    /usr/bin/xargs
S.5....T  d /usr/share/info/find.info.gz
S.5....T    /usr/share/locale/da/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/de/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/es/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/et/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/fr/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/gl/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/id/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/it/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/ko/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/nl/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/pl/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/pt_BR/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/ru/LC_MESSAGES/findutils.mo
S.5....T    /usr/share/locale/sv/LC_MESSAGES/findutils.mo
S.5....T  d /usr/share/man/man1/find.1.gz
S.5....T  d /usr/share/man/man1/xargs.1.gz

 

[BenThomas]

This is just the output of "rpm -V findutils". Apparently what the rpm database has recorded for the size, md5sum, and timestamp is different from the files.

 

[Astoria]

Same message for me -- [hackcheck] findutils failed checksum test

I got similar emails the past 2 mornings. Seems like an odd coincidence.

Where could I find what the checksum is supposed to be?

 

[gvard]

Same here. Any idea what's going on? I also receive the following in /scripts/upcp email:

relink: /lib/tls/libc-2.3.6.so has a dependency cycle
prelink: /usr/bin/find: at least one of file's dependencies has changed since prelinking
prelink: /lib/tls/libc-2.3.6.so has a dependency cycle
prelink: /usr/bin/xargs: at least one of file's dependencies has changed since prelinking findutils fails checksum !!!

 

[AndyReed]

IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm
package findutils did not match the expected checksum. This could mean that
your system was compromised (OwN3D). The offending files have been removed
and replaced with the OS default. To be safe you should verify that your
system has not be compromised.

Run chkrootkit and rkhunter and compare the results. Your server might be compromised. Make sure you have a good backup of your data, just in case.

 

[Danny_T]

I did had this too.

I downloaded the rpm files from the cpanel.net and installed them. No more hacked messages.
I guess the md5sum is not calculated well by the hackcheck process and cpanel had wrong checksums.
Too much users has it now so i bet its a cpanel problem.

Danny.

.

 

[BenThomas]

I guess the md5sum is not calculated well by the hackcheck process and cpanel had wrong checksums.

This has nothing to do with cPanel. The hackcheck script is alerting you of the output from "rpm -V rpmname". The values that rpm is using to compare against your files are stored in the rpm database located on your server. By reinstalling the rpms, you have reverted them back to their original state as provided by the rpm. Now that the files are not "different", then "rpm -V rpmname" has nothing to report. That's why you stopped receiving the message.

Have any of you receiving this report actually ran "rpm -V rpmname" on the rpm in question?

Have you investigated why and how the files provided by the rpm are different?

The whole purpose of hackcheck is to check the integrity of key rpms, and alert you when they've been modified. That's exactly what's going on here.