email CSF: "...If the change is unexpected it should be investigated", how investigate?

000

Well-Known Member
Jun 3, 2008
317
14
68
Hello,
we recived the messages:
Code:
Time:     Thu Apr  1 06:00:14 2021 -0500

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/usr/bin/ab: FAILED
/usr/bin/ea-php73: FAILED
/usr/bin/ea-php74: FAILED
/usr/bin/ea-php80: FAILED
/usr/bin/htdbm: FAILED
/usr/bin/htdigest: FAILED
/usr/bin/htpasswd: FAILED
/usr/bin/httxt2dbm: FAILED
/usr/bin/logresolve: FAILED
/usr/sbin/fcgistarter: FAILED
/usr/sbin/htcacheclean: FAILED
/usr/sbin/httpd: FAILED
/usr/sbin/rotatelogs: FAILED
/usr/sbin/suexec: FAILED
/bin/ab: FAILED
/bin/ea-php73: FAILED
/bin/ea-php74: FAILED
/bin/ea-php80: FAILED
/bin/htdbm: FAILED
/bin/htdigest: FAILED
/bin/htpasswd: FAILED
/bin/httxt2dbm: FAILED
/bin/logresolve: FAILED
/sbin/fcgistarter: FAILED
/sbin/htcacheclean: FAILED
/sbin/httpd: FAILED
/sbin/rotatelogs: FAILED
/sbin/suexec: FAILED
/usr/local/bin/ea-php73: FAILED
/usr/local/bin/ea-php74: FAILED
/usr/local/bin/ea-php80: FAILED
... really around of world after of millions of servers/VPS update/upgrade SO with cPanel millions and millions of emails is sended to email of sysadmin?

Yes, we can disable this email in /etc/csf/csf.conf, but the real point is: how we as newby inexperts investigate?
the most danger/terrible essenary is: "this update is doit by a malware", and...
how we can detect wich command make the update? (infection),
how the malware was do uploaded to server?

Please some tricks as: how we can know if really is a update ?
Some command to check/evaluate MD5 with mirror of SO ?

. . .

Really I believe is necessary a page complet with some instructions about how we as newbies can investigate this, and then can give some diagnostic preliminar to contract a sysadmin professional.

(sorry by my bad English)
 

kodeslogic

Well-Known Member
Apr 26, 2020
263
86
103
IN
cPanel Access Level
Root Administrator
Most such emails are received after the cPanel updates (upcp process), to verify that such email received after cPanel update check path /var/cpanel/updatelogs/ and you should see /var/cpanel/updatelogs/updated.{TIMESTAMP}.log file with timestamp which you can match with the received email.

You may also receive such emails when you manually update some outdated/old packages on your server if it is not by the upcp process.
 
  • Like
Reactions: cPRex

000

Well-Known Member
Jun 3, 2008
317
14
68
...you should see /var/cpanel/updatelogs/updated.{TIMESTAMP}.log file with timestamp which you can match with the received email.
Thanks master @kodeslogic.

Yes, you'll get these notifications from CSF after a cPanel update, but it doesn't necessarily indicate an issue with the machine.
Many thanks by your time master @cPRex.

in any case, if some day update is doit by MALWARE, how I can detect this terrible situation ?, only
Code:
/var/cpanel/updatelogs/updated.{TIMESTAMP}.log
?
cPanel don't release some BASH or something tool to check integrity of system?
 

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
599
193
343
cPanel Access Level
DataCenter Provider
While the above suggestions are good, I'd suggest checking /var/log/yum.log Virtaully all these changes are going to be done via yum (via the nightly upcp). Yesterday there was a EA update ( EasyApache 4 March 31 Release ) which is gong to cover a lot of what LFD saw change.
 
  • Like
Reactions: cPRex

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
4,883
606
273
cPanel Access Level
Root Administrator
@000 - first you'd want to look over the logs that have been previously mentioned to see if there were updates that happened on the system. If so, that's why there was a change. If not, you could compare the md5sum from a backup or by downloading a copy of the file directly and comparing it from here: Index of /cpanelsync/11.94.0.4
 
  • Like
Reactions: kodeslogic