email CSF: "...If the change is unexpected it should be investigated", how investigate?

[000]

Hello,
we recived the messages:

Time:     Thu Apr  1 06:00:14 2021 -0500

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/usr/bin/ab: FAILED
/usr/bin/ea-php73: FAILED
/usr/bin/ea-php74: FAILED
/usr/bin/ea-php80: FAILED
/usr/bin/htdbm: FAILED
/usr/bin/htdigest: FAILED
/usr/bin/htpasswd: FAILED
/usr/bin/httxt2dbm: FAILED
/usr/bin/logresolve: FAILED
/usr/sbin/fcgistarter: FAILED
/usr/sbin/htcacheclean: FAILED
/usr/sbin/httpd: FAILED
/usr/sbin/rotatelogs: FAILED
/usr/sbin/suexec: FAILED
/bin/ab: FAILED
/bin/ea-php73: FAILED
/bin/ea-php74: FAILED
/bin/ea-php80: FAILED
/bin/htdbm: FAILED
/bin/htdigest: FAILED
/bin/htpasswd: FAILED
/bin/httxt2dbm: FAILED
/bin/logresolve: FAILED
/sbin/fcgistarter: FAILED
/sbin/htcacheclean: FAILED
/sbin/httpd: FAILED
/sbin/rotatelogs: FAILED
/sbin/suexec: FAILED
/usr/local/bin/ea-php73: FAILED
/usr/local/bin/ea-php74: FAILED
/usr/local/bin/ea-php80: FAILED

... really around of world after of millions of servers/VPS update/upgrade SO with cPanel millions and millions of emails is sended to email of sysadmin?

Yes, we can disable this email in /etc/csf/csf.conf, but the real point is: how we as newby inexperts investigate?
the most danger/terrible essenary is: "this update is doit by a malware", and...
how we can detect wich command make the update? (infection),
how the malware was do uploaded to server?

Please some tricks as: how we can know if really is a update ?
Some command to check/evaluate MD5 with mirror of SO ?

. . .

Really I believe is necessary a page complet with some instructions about how we as newbies can investigate this, and then can give some diagnostic preliminar to contract a sysadmin professional.

(sorry by my bad English)

 

[kodeslogic]

Most such emails are received after the cPanel updates (upcp process), to verify that such email received after cPanel update check path /var/cpanel/updatelogs/ and you should see /var/cpanel/updatelogs/updated.{TIMESTAMP}.log file with timestamp which you can match with the received email.

You may also receive such emails when you manually update some outdated/old packages on your server if it is not by the upcp process.

 

[cPRex]

Yes, you'll get these notifications from CSF after a cPanel update, but it doesn't necessarily indicate an issue with the machine.

 

[000]

...you should see /var/cpanel/updatelogs/updated.{TIMESTAMP}.log file with timestamp which you can match with the received email.

Thanks master @kodeslogic.

Yes, you'll get these notifications from CSF after a cPanel update, but it doesn't necessarily indicate an issue with the machine.

Many thanks by your time master @cPRex.

in any case, if some day update is doit by MALWARE, how I can detect this terrible situation ?, only

/var/cpanel/updatelogs/updated.{TIMESTAMP}.log

?
cPanel don't release some BASH or something tool to check integrity of system?

 

[ffeingol]

While the above suggestions are good, I'd suggest checking /var/log/yum.log Virtaully all these changes are going to be done via yum (via the nightly upcp). Yesterday there was a EA update ( EasyApache 4 March 31 Release ) which is gong to cover a lot of what LFD saw change.

 

[cPRex]

@000 - first you'd want to look over the logs that have been previously mentioned to see if there were updates that happened on the system. If so, that's why there was a change. If not, you could compare the md5sum from a backup or by downloading a copy of the file directly and comparing it from here: Index of /cpanelsync/11.94.0.4

 

[000]

thanks masters