The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hackcheck: "package xy" failed checksum test

Discussion in 'General Discussion' started by JapAniManga.ch, Dec 29, 2001.

  1. JapAniManga.ch

    JapAniManga.ch Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Switzerland
    Hi,

    I get since two Day\'s Mails from the HACKCHECK-Script:
    ******
    IMPORTANT: Do not ignore this email.
    This message is to inform you that the rpm
    package fileutils did not match the expected checksum. This could mean that
    your system was compromised (OwN3D). The offending files have been removed
    and replaced with the OS default. To be safe you should verify that your
    system has not be compromised.
    ******

    Get Mails for Package\'s:
    - fileutils
    - findutils
    - net-tools
    - tcp_wrappers

    Its a RedHat6.2 Maschine.

    I just made some Minutes ago a manual CPanel-Update (via WHM) and it downloaded/installed this Packages and some Minutes later I got the next Batch of this HACKCHECK-Mails ! Controlled this Packges and the Install-Timestamp is from the Date/Time where I made manual CPanel-Update !

    Have anybody same Problem ? What should I do ? From where does CPanel-Update-Scipts donwloads this Packages (CPanel Server or from RedHat-Server) ?

    [Edited on 12/29/01 by AnimeHosting.net]
     
  2. bdraco

    bdraco Guest

    Contact your host and have them do a security review of the server.
     
  3. JapAniManga.ch

    JapAniManga.ch Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Switzerland
    just made.

    damn it ! and i allways thinked that i have secury passwords.
     
  4. JapAniManga.ch

    JapAniManga.ch Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Switzerland
    provider (support) say\'s its all OK, no security problem, no rootkit problem.
     
  5. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    confirm.

    I just received the same email. What is going on?
     
  6. Vital

    Vital Active Member

    Joined:
    Nov 17, 2001
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Same here, but only on RH 6.2-based systems, RH 7.x went silently through this. I think, a kind of broken RPM, but not sure.
     
  7. Craig

    Craig Well-Known Member

    Joined:
    Aug 10, 2001
    Messages:
    171
    Likes Received:
    0
    Trophy Points:
    16
    I just recived the \"[hackcheck] *package* failed checksum test\"

    Not sure weather of not to ignore it?
    its a 6.2 box also.

    Is this a bug? anyone submitted a bug for it?

    Ps.. happy new year :)

    [Edited on 12/31/01 by Craig]
     
  8. gordita

    gordita Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    I just recieved the same message but regarding the \"mount\" package. Should I be concerned?

    <edit>
    I\'m also using RH6.2
    </edit>

    [Edited on 12/31/01 by gordita]
     
  9. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I think we should all be OK. I think it is just Nick hacking our boxes with Cpanel :) hehe
     
  10. gordita

    gordita Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    [quote:46db23cce1]provider (support) say\'s its all OK, no security problem, no rootkit problem. [/quote:46db23cce1]

    Pegasus said that?
     
  11. Vital

    Vital Active Member

    Joined:
    Nov 17, 2001
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    [quote:f8fb76e240]I think we should all be OK. I think it is just Nick hacking our boxes with Cpanel hehe[/quote:f8fb76e240]

    Yep, Paul. ;) Something just got corrupted, no big deal, though i was scared, recieving an SMS with that horrid warning..

    Happy New Year to all of us. ;)
     
  12. bdraco

    bdraco Guest

    You should ignore this if.
    ______________________________________
    You manually installed that package from source


    Reasons why you shouldn\'t ignore this message.
    _________________________________
    More then likely your server IS compromised.
    OR If its not compromised, your rpm database may be corrupt and should be rebuilt with \'rpm --rebuilddb\'
    OR Something is broken that is causing your server to not get security updates.
     
  13. gordita

    gordita Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Nick: Thanks for responding.

    I\'m currently researching my problem of mount failling the checksum, however one thing to note is that when cpup ran autmatically this morning mount failed the checksum, but this afternoon when I manually ran the Update Server Software, Update System Software, Update Backend Scripts and ran upcp from WHM it passed the checksum test without a problem.

    I haven\'t installed mount from source (or different rpm) so I am concerned about this, however it is appearing to be a false alarm as of yet... any other info or findings you have would be interesting as well.

    Thanks
     
  14. bdraco

    bdraco Guest

    gordita, what os are you running ?

    (redhat 6.2?)
     
  15. JapAniManga.ch

    JapAniManga.ch Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Switzerland
    [quote:e8d6481f6c][quote:e8d6481f6c]provider (support) say\'s its all OK, no security problem, no rootkit problem. [/quote:e8d6481f6c]

    Pegasus said that? [/quote:e8d6481f6c]

    jup they made a sercurity-scan on my box exspecialy on rootkit-hack.
     
  16. gordita

    gordita Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    [quote:1d0764501c]gordita, what os are you running ?

    (redhat 6.2?) [/quote:1d0764501c]

    Yes sir, I sure am.
     
  17. bdraco

    bdraco Guest

    Looks like a lot of the 6.2 boxes didn\'t get the mount update a while back so you can just ignore the first hackcheck for mount on rh6.2 . If you get more then one there may be a problem.
     
  18. Drake

    Drake Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    I have received the hackcheck warnings too.
    Nick, thanks for the previous message to ignore the warning for now. I am running Red Had 6.2.

    However, I am concerned about the part of the message that reads \"The offending files have been removed.\"

    Looking at the script, the line ...system(\"rpm\",\"-Uvh\",\"--nodeps\",\"--force\",\"$file\").... seems like a pretty brutal action that isn\'t playing games!!

    I wouild like to be able to determine just what files or rpm the script decided to remove. I don\'t see anything that references a report or log file, which would be great, especially in tracking down an outside hacker / or a hacking user; or in other cases, being able to solve problems where misc. rpm\'s might not work any longer. How might one determine what files were removed? The section of hackcheck that warns about a user with root priv\'s is easy enough to find.

    Since the script is new, does it establish its baseline for comparison solely by cpanel.net\'s database, or in any way by the server\'s enviornment upon the installation of the script?

    Thanks
    Drake-- duraserver.net
     
  19. Vince

    Vince Active Member
    PartnerNOC

    Joined:
    Aug 13, 2001
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Nick,

    I\'ve upgraded several of our machines to work with ext3, which included upgrading e2fsprogs, quota, and some other packages.
    Is this machine going to fail to reboot correctly because Cpanel decided to replace my files?
    Could you put out an updated e2fsprogs RPM which contains ext3 support? quota-tools with ext3 support?

    Vince.
     
  20. DokFLeed

    DokFLeed Member

    Joined:
    May 29, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Earth
    did you face , continous Service Monitor failure emails?
    or
    Waiting for mysql to restart.... . . . . . . . . . . finished.

    /bin/ps: error while loading shared libraries: libproc.so.2.0.6: cannot open shared object file: No such file or directory mysql status

    mysql started ok "

    it all started with the updates..
    actually the update itself starts with checksum failure from cpanel, that got the fileutil and netutil ,
    which will coz to appear as comprimsed as well..
    but anyway to fix all of this?
     
Loading...

Share This Page