hackcheck: "package xy" failed checksum test

[JapAniManga.ch]

Hi,

I get since two Day\'s Mails from the HACKCHECK-Script:
******
IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm
package fileutils did not match the expected checksum. This could mean that
your system was compromised (OwN3D). The offending files have been removed
and replaced with the OS default. To be safe you should verify that your
system has not be compromised.
******

Get Mails for Package\'s:
- fileutils
- findutils
- net-tools
- tcp_wrappers

Its a RedHat6.2 Maschine.

I just made some Minutes ago a manual CPanel-Update (via WHM) and it downloaded/installed this Packages and some Minutes later I got the next Batch of this HACKCHECK-Mails ! Controlled this Packges and the Install-Timestamp is from the Date/Time where I made manual CPanel-Update !

Have anybody same Problem ? What should I do ? From where does CPanel-Update-Scipts donwloads this Packages (CPanel Server or from RedHat-Server) ?

[Edited on 12/29/01 by AnimeHosting.net]

 

[bdraco]

Contact your host and have them do a security review of the server.

 

[JapAniManga.ch]

just made.

damn it ! and i allways thinked that i have secury passwords.

 

[JapAniManga.ch]

provider (support) say\'s its all OK, no security problem, no rootkit problem.

 

[H2Hosting.com]

confirm.

I just received the same email. What is going on?

 

[Vital]

Same here, but only on RH 6.2-based systems, RH 7.x went silently through this. I think, a kind of broken RPM, but not sure.

 

[Craig]

I just recived the \"[hackcheck] *package* failed checksum test\"

Not sure weather of not to ignore it?
its a 6.2 box also.

Is this a bug? anyone submitted a bug for it?

Ps.. happy new year

[Edited on 12/31/01 by Craig]

 

[gordita]

I just recieved the same message but regarding the \"mount\" package. Should I be concerned?

<edit>
I\'m also using RH6.2
</edit>

[Edited on 12/31/01 by gordita]

 

[rpmws]

I think we should all be OK. I think it is just Nick hacking our boxes with Cpanel hehe

 

[gordita]

[quote:46db23cce1]provider (support) say\'s its all OK, no security problem, no rootkit problem. [/quote:46db23cce1]

Pegasus said that?

 

[Vital]

[quote:f8fb76e240]I think we should all be OK. I think it is just Nick hacking our boxes with Cpanel hehe[/quote:f8fb76e240]

Yep, Paul. Something just got corrupted, no big deal, though i was scared, recieving an SMS with that horrid warning..

Happy New Year to all of us.

 

[bdraco]

You should ignore this if.
______________________________________
You manually installed that package from source


Reasons why you shouldn\'t ignore this message.
_________________________________
More then likely your server IS compromised.
OR If its not compromised, your rpm database may be corrupt and should be rebuilt with \'rpm --rebuilddb\'
OR Something is broken that is causing your server to not get security updates.

 

[gordita]

Nick: Thanks for responding.

I\'m currently researching my problem of mount failling the checksum, however one thing to note is that when cpup ran autmatically this morning mount failed the checksum, but this afternoon when I manually ran the Update Server Software, Update System Software, Update Backend Scripts and ran upcp from WHM it passed the checksum test without a problem.

I haven\'t installed mount from source (or different rpm) so I am concerned about this, however it is appearing to be a false alarm as of yet... any other info or findings you have would be interesting as well.

Thanks

 

[bdraco]

gordita, what os are you running ?

(redhat 6.2?)

 

[JapAniManga.ch]

[quote:e8d6481f6c][quote:e8d6481f6c]provider (support) say\'s its all OK, no security problem, no rootkit problem. [/quote:e8d6481f6c]

Pegasus said that? [/quote:e8d6481f6c]

jup they made a sercurity-scan on my box exspecialy on rootkit-hack.

 

[gordita]

[quote:1d0764501c]gordita, what os are you running ?

(redhat 6.2?) [/quote:1d0764501c]

Yes sir, I sure am.

 

[bdraco]

Looks like a lot of the 6.2 boxes didn\'t get the mount update a while back so you can just ignore the first hackcheck for mount on rh6.2 . If you get more then one there may be a problem.

 

[Drake]

I have received the hackcheck warnings too.
Nick, thanks for the previous message to ignore the warning for now. I am running Red Had 6.2.

However, I am concerned about the part of the message that reads \"The offending files have been removed.\"

Looking at the script, the line ...system(\"rpm\",\"-Uvh\",\"--nodeps\",\"--force\",\"$file\").... seems like a pretty brutal action that isn\'t playing games!!

I wouild like to be able to determine just what files or rpm the script decided to remove. I don\'t see anything that references a report or log file, which would be great, especially in tracking down an outside hacker / or a hacking user; or in other cases, being able to solve problems where misc. rpm\'s might not work any longer. How might one determine what files were removed? The section of hackcheck that warns about a user with root priv\'s is easy enough to find.

Since the script is new, does it establish its baseline for comparison solely by cpanel.net\'s database, or in any way by the server\'s enviornment upon the installation of the script?

Thanks
Drake-- duraserver.net

 

[Vince]

Nick,

I\'ve upgraded several of our machines to work with ext3, which included upgrading e2fsprogs, quota, and some other packages.
Is this machine going to fail to reboot correctly because Cpanel decided to replace my files?
Could you put out an updated e2fsprogs RPM which contains ext3 support? quota-tools with ext3 support?

Vince.

 

[DokFLeed]

did you face , continous Service Monitor failure emails?
or
Waiting for mysql to restart.... . . . . . . . . . . finished.

/bin/ps: error while loading shared libraries: libproc.so.2.0.6: cannot open shared object file: No such file or directory mysql status

mysql started ok "

it all started with the updates..
actually the update itself starts with checksum failure from cpanel, that got the fileutil and netutil ,
which will coz to appear as comprimsed as well..
but anyway to fix all of this?