Blue Shrapnel

Thursday, September 14, 2006

Cpanel Hackcheck

IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm
package findutils did not match the expected checksum. This could mean that
your system was compromised (OwN3D). The offending files have been removed
and replaced with the OS default. To be safe you should verify that your
system has not be compromised.

Does this entry in 
/var/logs/chksrvd.log
correspond to the above email?
[Fri Sep 15 18:55:34 2006] Service check ....cpsrvd [-Notification => karen.archer@gmail.com via EMAIL [level => 3]
Restarting cpsrvd....
system: /usr/local/cpanel/etc/init/safekill cpsrvd
system: /usr/local/cpanel/etc/init/safekill webmaild
system: /usr/local/cpanel/etc/init/safekill cpaneld
system: /usr/local/cpanel/cpsrvd
]...Done


Modified Files:
S.?...... /usr/bin/find
S.?...... /usr/bin/xargs

History of Support Activity:
276  w
277  rpm -qf /usr/bin/find
278  rpm -V findutils
279  rpm -qf /usr/bin/xargs
280  rpm -V xargs
281  ls -alhd /usr/bin/find
282  cat /etc/redhat-release
283  rpm -qf /usr/bin/find /usr/bin/xargs
284  rpm -V findutils-4.2.27-4
285  whereis rpm
286  rpm -V /bin/rpm
287  rpm -qf /bin/rpm
288  rpm -V rpm
289  less /scripts/hackcheck
290  less /scripts/hackcheck
291  rpm -V
292  rpm -V all
293  rpm -V
294  w
295  exit


chkRootKit

root@server30013 [/usr/local/bin]# rpm -qpl chkrootkit-0.46a-2.fc5.i386.rpm
warning: chkrootkit-0.46a-2.fc5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 1ac70ce6
/etc/pam.d/chkrootkit
/etc/security/console.apps/chkrootkit
/usr/bin/chkrootkit
/usr/bin/chkrootkitX
/usr/lib/chkrootkit-0.46a
/usr/lib/chkrootkit-0.46a/check_wtmpx
/usr/lib/chkrootkit-0.46a/chkdirs
/usr/lib/chkrootkit-0.46a/chklastlog
/usr/lib/chkrootkit-0.46a/chkproc
/usr/lib/chkrootkit-0.46a/chkrootkit
/usr/lib/chkrootkit-0.46a/chkutmp
/usr/lib/chkrootkit-0.46a/chkwtmp
/usr/lib/chkrootkit-0.46a/ifpromisc
/usr/lib/chkrootkit-0.46a/strings
/usr/lib/chkrootkit-0.46a/strings-static
/usr/sbin/chkrootkit
/usr/share/applications/fedora-chkrootkit.desktop
/usr/share/doc/chkrootkit-0.46a
/usr/share/doc/chkrootkit-0.46a/ACKNOWLEDGMENTS
/usr/share/doc/chkrootkit-0.46a/COPYRIGHT
/usr/share/doc/chkrootkit-0.46a/README
/usr/share/doc/chkrootkit-0.46a/README.chklastlog
/usr/share/doc/chkrootkit-0.46a/README.chkwtmp
/usr/share/doc/chkrootkit-0.46a/chkrootkit.lsm
/usr/share/pixmaps/chkrootkit.png


Output:
Checking `bindshell'... INFECTED (PORTS: 465)

Important Note: If you see 'Checking `bindshell'... INFECTED (PORTS: 465)' read on.
I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on
the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp,
1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp,
23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp,
47017/tcp, 47889/tcp, 60001/tcp).

posted by Karen @ 11:55 PM

0 Comments:

Post a Comment

<< Home