Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

FAILED the md5sum comparison test - how to know when updates occur?

Discussion in 'Security' started by jeffschips, Jun 25, 2018.

  1. jeffschips

    jeffschips Active Member

    Joined:
    Jun 5, 2016
    Messages:
    29
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    new york
    cPanel Access Level:
    Root Administrator
    I am receiving pretty regular warnings from LFD/CSF that files fail integrity checks, sometimes after LFD has blocked ip's from foreign countries.

    How does an admin tell when an update occurs in Cpanel/WHM so we can know if this warning is indeed related to an update?
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,888
    Likes Received:
    90
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    You can check the cPanel update logs for more details.
    /var/cpanel/updatelogs
    This directory contains the system's update log files.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. jeffschips

    jeffschips Active Member

    Joined:
    Jun 5, 2016
    Messages:
    29
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    new york
    cPanel Access Level:
    Root Administrator
    Thank you. Given that I have have the following critical messages, how does one verify if the listed failed md5sum files have been updated or modified by an update?

    The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated

    Note that passwd has failed, a pretty critical file. If I search the most recent update log file for any of these listed files, none of them show up with grep:

    /usr/bin/cpapi1: FAILED
    /usr/bin/cpapi2: FAILED
    /usr/bin/cpapi3: FAILED
    /usr/bin/doveadm: FAILED
    /usr/bin/doveconf: FAILED
    /usr/bin/dsync: FAILED
    /usr/bin/uapi: FAILED
    /usr/sbin/dovecot: FAILED
    /usr/sbin/whmapi0: FAILED
    /usr/sbin/whmapi1: FAILED
    /bin/cpapi1: FAILED
    /bin/cpapi2: FAILED
    /bin/cpapi3: FAILED
    /bin/doveadm: FAILED
    /bin/doveconf: FAILED
    /bin/dsync: FAILED
    /bin/uapi: FAILED
    /sbin/dovecot: FAILED
    /sbin/whmapi0: FAILED
    /sbin/whmapi1: FAILED
    /usr/local/bin/crontab: FAILED
    /usr/local/bin/passwd: FAILED
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. jeffschips

    jeffschips Active Member

    Joined:
    Jun 5, 2016
    Messages:
    29
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    new york
    cPanel Access Level:
    Root Administrator
    1) So all of the above files listed as not passing tests have their dopplegangers at http://httpupdate.cpanel.net/cpanelsync/11.66.0.35/binaries/linux-c6-x86_64/
    for my verion and OS which is CENTOS 7.5 kvm Version 72.0.5?

    2) If //usr/local/cpanel/bin/jail_safe_passwd file (/bin/passwd is just a link to this file) is only a link could the link have changed to point somewhere else?
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    No, the URL will change depending on your OS and cPanel & WHM version. With that version of cPanel & WHM on CentOS 7, the mirror URL to use is:

    Index of /cpanelsync/11.72.0.5/binaries/linux-c7-x86_64

    Note that some of the files are included as part of archives, so you'd need to download them to a test directory and extract them if you want to manually compare the md5 checksums.

    It's possible. You can verify that with a command like this:

    Code:
    ls -al /bin/passwd
    Here's how it should look:

    Code:
    # ls -al /bin/passwd
    lrwxrwxrwx 1 root root 38 May 30 15:23 /bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd
    I can also confirm this file was modified upon the update to version 72.0.3 by searching at the cPanel update logs:

    Code:
    /var/cpanel/updatelogs/update.1528826671.log:[2018-06-12 18:06:50 +0000]   Retrieving and staging /cpanelsync/11.72.0.3/binaries/linux-c6-x86_64/bin/jail_safe_passwd.xz
    /var/cpanel/updatelogs/update.1528826671.log:[2018-06-12 18:06:50 +0000]   Set permissions on /usr/local/cpanel/bin/jail_safe_passwd-cpanelsync to 0755
    
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice