Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

hackcheck immutable

Discussion in 'General Discussion' started by aramazan, Mar 25, 2007.

  1. aramazan

    aramazan Registered

    Joined:
    Mar 17, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    151
    Hello,

    Daily /scripts/upcp contains the messages below:

    ...
    Fetching http://httpupdate.cpanel.net/cpanelsync/RELEASE-x86_64/scripts/hackcheck.bz2 (0)....@69.90.250.35......connected......receiving...100%......Done
    Got file ./hackcheck ok (md5 matches)
    mv: cannot move `/scripts/./hackcheck' to `/scripts/./hackcheck.unlink': Operation not permitted
    mv: cannot move `/scripts/./hackcheck-cpanelsync' to `/scripts/./hackcheck': Operation not permitted
    Done updating /scripts
    ...

    I checked /scripts/hackcheck with lsattr and it is set immutable. Looked at the diff between the freshly downloaded one (hackcheck-cpanelsync) and the frozen one (hackcheck) and here is the diff output:

    # diff hackcheck hackcheck-cpanelsync
    88c88
    < if ( $uid == 0 && $user ne "root" && $user ne "admin" ) {
    ---
    > if ( $uid == 0 && $user ne "root" && $user ne "toor" ) {

    Appears that someone hacked the hackcheck script, changed the check for "toor" to "admin" to cover himself, and then set the script immutable so daily updates won't revert his changes back.

    Now the interesting part is, supposedly hacked script (hackcheck) contains correct user checks (admin is given root privileges so that our host operator can locally intervene upon our request), and supposedly fresh update (hackcheck-cpanelsync) has check for bogus user "toor".

    Is there something that I'm missing here? (Definitely there is, but what...) Or do I have grounds to suspect that my server might be compromised?

    Thanks a lot
     
    #1 aramazan, Mar 25, 2007
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    4
    Trophy Points:
    193
    Location:
    Minneapolis, MN
    It is rather difficult to say whether your system has been compromised. Scan your OS with rkhunter and chkrootkit applications.

    A rootkit may replace 'ps' with a version of the command that will not display information about particular processes, and may replace 'md5sum' with a version of the command that reports the expected --- though not accurate --- checksums for compromised system binaries. Other frequently-compromised binaries include ls, netstat, top; a relatively complete rootkit may include two dozen or more binaries, most of which are trojaned versions of standard system commands.

    Hope this helps!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 AndyReed, Mar 25, 2007
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    No, that's perfectly normal and is simply an update to that script. You should not use the immutable flag on any of the files in /scripts otherwise you're risking the stability of cPanel and the OS on your server.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 chirpy, Mar 26, 2007
  4. aramazan

    aramazan Registered

    Joined:
    Mar 17, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    151
    Thank you ServerTune and chirpy. It's turned out that my dedicated hoster has set hackcheck immutable so that daily cpanel updates wouldn't revert their custom (and minuscule) change to this script.

    BTW, while the change itself is minuscule with no security concerns, I wonder what happens if cpanel makes some rather substantial changes to system management that mandates upgrading hackcheck in sync with several other files. All the files involved would be upgraded except hackcheck. Could it render the system unusable, or worse, open some unnoticed security holes? I guess I'll periodically check the diff between the immutable hackcheck and the latest version.

    Thanks and best regards
     
    #4 aramazan, Mar 30, 2007
(You must log in or sign up to post here.)

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice