The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hacked?

Discussion in 'General Discussion' started by latpanel, May 4, 2006.

  1. latpanel

    latpanel Well-Known Member

    Joined:
    Jan 23, 2004
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    Two days ago mys server got hung and it had to be started by console.
    A day before I receive the daily email about updates.In this email it could be read:

    Running install for module File::HomeDir
    Running make for A/AD/ADAMK/File-HomeDir-0.57.tar.gz
    Fetching with LWP:
    http://www.uberlan.net/CPAN/authors/id/A/AD/ADAMK/File-HomeDir-0.57.tar.gz
    CPAN: Digest::SHA loaded ok
    CPAN: Module::Signature loaded ok
    WARNING: This key is not certified with a trusted signature!
    Primary key fingerprint: 2E66 557A B97C 19C7 91AF 8E20 328D A867 450F 89EC
    Signature for /home/.cpan/sources/authors/id/A/AD/ADAMK/CHECKSUMS ok
    Fetching with LWP:
    http://www.uberlan.net/CPAN/authors/id/A/AD/ADAMK/CHECKSUMS
    WARNING: This key is not certified with a trusted signature!
    Primary key fingerprint: 2E66 557A B97C 19C7 91AF 8E20 328D A867 450F 89EC
    Signature for /home/.cpan/sources/authors/id/A/AD/ADAMK/CHECKSUMS ok
    Checksum for /home/.cpan/sources/authors/id/A/AD/ADAMK/File-HomeDir-0.57.tar.gz ok
    Scanning cache /home/.cpan/build for sizes
    File-HomeDir-0.57/
    File-HomeDir-0.57/inc/
    ........



    Now my server is running ok again, but I've receive several emails:
    From rkhunter a long list with lines like that one:

    /usr/sbin/prelink: /bin/cat: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/cat: at least one of file's dependencies has changed since prelinking
    Line:
    [ BAD ]
    /usr/sbin/prelink: /bin/chown: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/chown: at least one of file's dependencies has changed since prelinking
    Line: [ BAD ]
    [ BAD ]
    ...................
    ................

    From hackcheck

    IMPORTANT: Do not ignore this email.
    This message is to inform you that the rpm
    package findutils did not match the expected checksum. This could mean that
    your system was compromised (OwN3D). The offending files have been removed
    and replaced with the OS default. To be safe you should verify that your
    system has not be compromised.

    Modified Files:
    S.?..... /usr/bin/find
    S.?..... /usr/bin/xargs

    And another two one with other files afected.

    And from scripts/upcp messages reintalling the rpm mentioned in the last message.

    I'm worry about all that messages, how can I know if my system has been rooted?

    I'm running a Fedora FC1

    thanks
     
Loading...
Similar Threads - hacked
  1. xtronica
    Replies:
    9
    Views:
    658

Share This Page