The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[hackcheck] findutils failed checksum test

Discussion in 'General Discussion' started by Daemon1, Aug 3, 2006.

  1. Daemon1

    Daemon1 Well-Known Member

    Joined:
    Nov 26, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    I keep getting this [hackcheck] findutils failed checksum test message over the past 2 days, and I cant work out why. The server is operating like normal, nothing was found using rootkit hunter.

    Im /tmp and /var/tmp I see the following folders

    .ICE-unix
    .font-unix
    .dt
    pear
    spamd-3092-init
    spamd-3481-init
    cpbandwidth
    mysql.sock

    The rest are just session files...

    And /dev/shm is empty....

    tmp has already been secured, the server is operating fine but I keep
    getting sent "[hackcheck] findutils failed checksum test" daily and we dont
    know why! Any help would be appreciated.

    Code:
    IMPORTANT: Do not ignore this email.
    This message is to inform you that the rpm
    package findutils did not match the expected checksum.  This could mean that
    your system was compromised (OwN3D). The offending files have been removed
    and replaced with the OS default.  To be safe you should verify that your
    system has not be compromised.
    
    Modified Files:
    S.5....T    /usr/bin/find
    S.5....T    /usr/bin/xargs
    S.5....T  d /usr/share/info/find.info.gz
    S.5....T    /usr/share/locale/da/LC_MESSAGES/findutils.mo
    S.5....T    /usr/share/locale/de/LC_MESSAGES/findutils.mo
    S.5....T    /usr/share/locale/es/LC_MESSAGES/findutils.mo
    S.5....T    /usr/share/locale/et/LC_MESSAGES/findutils.mo
    S.5....T    /usr/share/locale/fr/LC_MESSAGES/findutils.mo
    S.5....T    /usr/share/locale/gl/LC_MESSAGES/findutils.mo
    S.5....T    /usr/share/locale/id/LC_MESSAGES/findutils.mo
    S.5....T    /usr/share/locale/it/LC_MESSAGES/findutils.mo
    S.5....T    /usr/share/locale/ko/LC_MESSAGES/findutils.mo
    S.5....T    /usr/share/locale/nl/LC_MESSAGES/findutils.mo
    S.5....T    /usr/share/locale/pl/LC_MESSAGES/findutils.mo
    S.5....T    /usr/share/locale/pt_BR/LC_MESSAGES/findutils.mo
    S.5....T    /usr/share/locale/ru/LC_MESSAGES/findutils.mo
    S.5....T    /usr/share/locale/sv/LC_MESSAGES/findutils.mo
    S.5....T  d /usr/share/man/man1/find.1.gz
    S.5....T  d /usr/share/man/man1/xargs.1.gz
     
  2. BenThomas

    BenThomas Well-Known Member

    Joined:
    Feb 12, 2004
    Messages:
    598
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Houston, Texas USA
    cPanel Access Level:
    Root Administrator
    This is just the output of "rpm -V findutils". Apparently what the rpm database has recorded for the size, md5sum, and timestamp is different from the files.
     
  3. Astoria

    Astoria Member

    Joined:
    Jan 12, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Same message for me -- [hackcheck] findutils failed checksum test

    I got similar emails the past 2 mornings. Seems like an odd coincidence.

    Where could I find what the checksum is supposed to be?
     
  4. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    195
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    Same here. Any idea what's going on? I also receive the following in /scripts/upcp email:

     
  5. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Run chkrootkit and rkhunter and compare the results. Your server might be compromised. Make sure you have a good backup of your data, just in case.
     
  6. Danny_T

    Danny_T Well-Known Member

    Joined:
    Jul 19, 2005
    Messages:
    181
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Netherlands
    I did had this too.

    I downloaded the rpm files from the cpanel.net and installed them. No more hacked messages.
    I guess the md5sum is not calculated well by the hackcheck process and cpanel had wrong checksums.
    Too much users has it now so i bet its a cpanel problem.

    Danny.

    .
     
  7. BenThomas

    BenThomas Well-Known Member

    Joined:
    Feb 12, 2004
    Messages:
    598
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Houston, Texas USA
    cPanel Access Level:
    Root Administrator
    This has nothing to do with cPanel. The hackcheck script is alerting you of the output from "rpm -V rpmname". The values that rpm is using to compare against your files are stored in the rpm database located on your server. By reinstalling the rpms, you have reverted them back to their original state as provided by the rpm. Now that the files are not "different", then "rpm -V rpmname" has nothing to report. That's why you stopped receiving the message.

    Have any of you receiving this report actually ran "rpm -V rpmname" on the rpm in question?

    Have you investigated why and how the files provided by the rpm are different?

    The whole purpose of hackcheck is to check the integrity of key rpms, and alert you when they've been modified. That's exactly what's going on here.
     

Share This Page