Hello,
Daily /scripts/upcp contains the messages below:
...
Fetching http://httpupdate.cpanel.net/cpanelsync/RELEASE-x86_64/scripts/hackcheck.bz2 (0)[email protected]%......Done
Got file ./hackcheck ok (md5 matches)
mv: cannot move `/scripts/./hackcheck' to `/scripts/./hackcheck.unlink': Operation not permitted
mv: cannot move `/scripts/./hackcheck-cpanelsync' to `/scripts/./hackcheck': Operation not permitted
Done updating /scripts
...
I checked /scripts/hackcheck with lsattr and it is set immutable. Looked at the diff between the freshly downloaded one (hackcheck-cpanelsync) and the frozen one (hackcheck) and here is the diff output:
# diff hackcheck hackcheck-cpanelsync
88c88
< if ( $uid == 0 && $user ne "root" && $user ne "admin" ) {
---
> if ( $uid == 0 && $user ne "root" && $user ne "toor" ) {
Appears that someone hacked the hackcheck script, changed the check for "toor" to "admin" to cover himself, and then set the script immutable so daily updates won't revert his changes back.
Now the interesting part is, supposedly hacked script (hackcheck) contains correct user checks (admin is given root privileges so that our host operator can locally intervene upon our request), and supposedly fresh update (hackcheck-cpanelsync) has check for bogus user "toor".
Is there something that I'm missing here? (Definitely there is, but what...) Or do I have grounds to suspect that my server might be compromised?
Thanks a lot
Daily /scripts/upcp contains the messages below:
...
Fetching http://httpupdate.cpanel.net/cpanelsync/RELEASE-x86_64/scripts/hackcheck.bz2 (0)[email protected]%......Done
Got file ./hackcheck ok (md5 matches)
mv: cannot move `/scripts/./hackcheck' to `/scripts/./hackcheck.unlink': Operation not permitted
mv: cannot move `/scripts/./hackcheck-cpanelsync' to `/scripts/./hackcheck': Operation not permitted
Done updating /scripts
...
I checked /scripts/hackcheck with lsattr and it is set immutable. Looked at the diff between the freshly downloaded one (hackcheck-cpanelsync) and the frozen one (hackcheck) and here is the diff output:
# diff hackcheck hackcheck-cpanelsync
88c88
< if ( $uid == 0 && $user ne "root" && $user ne "admin" ) {
---
> if ( $uid == 0 && $user ne "root" && $user ne "toor" ) {
Appears that someone hacked the hackcheck script, changed the check for "toor" to "admin" to cover himself, and then set the script immutable so daily updates won't revert his changes back.
Now the interesting part is, supposedly hacked script (hackcheck) contains correct user checks (admin is given root privileges so that our host operator can locally intervene upon our request), and supposedly fresh update (hackcheck-cpanelsync) has check for bogus user "toor".
Is there something that I'm missing here? (Definitely there is, but what...) Or do I have grounds to suspect that my server might be compromised?
Thanks a lot