[hackcheck] net-tools failed checksum test

ncconquer

Well-Known Member
Jun 20, 2004
80
0
156
this text from my email:
---
IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm
package net-tools did not match the expected checksum. This could mean
that
your system was compromised (OwN3D). The offending files have been
removed
and replaced with the OS default. To be safe you should verify that
your
system has not be compromised.

Modified Files:
S.?..... /bin/hostname
S.?..... /bin/netstat
S.?..... /sbin/arp
S.?..... /sbin/ether-wake
S.?..... /sbin/ifconfig
S.?..... /sbin/ipmaddr
S.?..... /sbin/iptunnel
S.?..... /sbin/mii-tool
S.?..... /sbin/nameif
S.?..... /sbin/plipconfig
S.?..... /sbin/route
S.?..... /sbin/slattach
---
What's that? Please tech me.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
30
473
Go on, have a guess
You should install tools such as rkhunter and chkrootkit to see if you have a standard rootkit installed on your server - which would strongly suggest a successful root compromise. If they're OK, and the problem as not been caused by you running chmod somewhere you shouldn't, then you need to establish how the files from those RPMs were changed.

If you don't know how to do these things, then you really should look for a someone who specialiases in Linux security to check your server for you.