FAILED the md5sum comparison test - how to know when updates occur?

[jeffschips]

I am receiving pretty regular warnings from LFD/CSF that files fail integrity checks, sometimes after LFD has blocked ip's from foreign countries.

How does an admin tell when an update occurs in Cpanel/WHM so we can know if this warning is indeed related to an update?

 

[24x7server]

Hi,

You can check the cPanel update logs for more details.
/var/cpanel/updatelogs
This directory contains the system's update log files.

 

[jeffschips]

Thank you. Given that I have have the following critical messages, how does one verify if the listed failed md5sum files have been updated or modified by an update?

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated

Note that passwd has failed, a pretty critical file. If I search the most recent update log file for any of these listed files, none of them show up with grep:

/usr/bin/cpapi1: FAILED
/usr/bin/cpapi2: FAILED
/usr/bin/cpapi3: FAILED
/usr/bin/doveadm: FAILED
/usr/bin/doveconf: FAILED
/usr/bin/dsync: FAILED
/usr/bin/uapi: FAILED
/usr/sbin/dovecot: FAILED
/usr/sbin/whmapi0: FAILED
/usr/sbin/whmapi1: FAILED
/bin/cpapi1: FAILED
/bin/cpapi2: FAILED
/bin/cpapi3: FAILED
/bin/doveadm: FAILED
/bin/doveconf: FAILED
/bin/dsync: FAILED
/bin/uapi: FAILED
/sbin/dovecot: FAILED
/sbin/whmapi0: FAILED
/sbin/whmapi1: FAILED
/usr/local/bin/crontab: FAILED
/usr/local/bin/passwd: FAILED

 

[cPanelMichael]

Hello @jeffschips,

You can manually download the files from our update servers and verify the md5sum. There's an example of how to do this on the following post:

Resolving Issues Found With Rootkit Hunter

You may also find this document informative:

Download Security - cPanel Knowledge Base - cPanel Documentation

Thank you.

 

[jeffschips]

1) So all of the above files listed as not passing tests have their dopplegangers at http://httpupdate.cpanel.net/cpanelsync/11.66.0.35/binaries/linux-c6-x86_64/
for my verion and OS which is CENTOS 7.5 kvm Version 72.0.5?

2) If //usr/local/cpanel/bin/jail_safe_passwd file (/bin/passwd is just a link to this file) is only a link could the link have changed to point somewhere else?

 

[cPanelMichael]

1) So all of the above files listed as not passing tests have their dopplegangers at http://httpupdate.cpanel.net/cpanelsync/11.66.0.35/binaries/linux-c6-x86_64/
for my verion and OS which is CENTOS 7.5 kvm Version 72.0.5?

No, the URL will change depending on your OS and cPanel & WHM version. With that version of cPanel & WHM on CentOS 7, the mirror URL to use is:

Index of /cpanelsync/11.72.0.5/binaries/linux-c7-x86_64

Note that some of the files are included as part of archives, so you'd need to download them to a test directory and extract them if you want to manually compare the md5 checksums.

2) If //usr/local/cpanel/bin/jail_safe_passwd file (/bin/passwd is just a link to this file) is only a link could the link have changed to point somewhere else?

It's possible. You can verify that with a command like this:

ls -al /bin/passwd

Here's how it should look:

# ls -al /bin/passwd
lrwxrwxrwx 1 root root 38 May 30 15:23 /bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd

I can also confirm this file was modified upon the update to version 72.0.3 by searching at the cPanel update logs:

/var/cpanel/updatelogs/update.1528826671.log:[2018-06-12 18:06:50 +0000]   Retrieving and staging /cpanelsync/11.72.0.3/binaries/linux-c6-x86_64/bin/jail_safe_passwd.xz
/var/cpanel/updatelogs/update.1528826671.log:[2018-06-12 18:06:50 +0000]   Set permissions on /usr/local/cpanel/bin/jail_safe_passwd-cpanelsync to 0755

Thank you.

 

[8p-design]

I am wondering why there is not a script that can do this for us yet.
I find it quite stressful to receive these warnings a few times per week.

I ALWAYS wonder if it was the update that REALLY modify the file, or if it was made by ANOTHER process that took the "update window" opportunity to hack my system.

Why can't the work done on the suggested reply by the cpanel staff above, be made by a script?

 

[Tsuna]

Bumping this, same issue and same concern here.

Why can't the work done on the suggested reply by the cpanel staff above, be made by a script?

Or at least, why cant the system check this and ONLY send alert if it wasn't panel that made those changes during update.

The point of a management panel is to reduce management work so we can focus on business growth(literally why current panel clients are here even after the price hike)

 

[jstubs99]

Yes I agree, same issue today now I find myself troubleshooting something I shouldnt have to. My alert today looks like the following:

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/usr/bin/cpupower: FAILED
/usr/sbin/rsyslogd: FAILED
/bin/cpupower: FAILED
/sbin/rsyslogd: FAILED

Thanks

 

[paulapatrice]

Does anyone have an efficient solution to this? I got a fairly long list of FAILED files for a recently-set up server, and I cannot imagine trying to manually figure out what is legit and what is not file-by-file.

Is this a cPanel issue or a CSF issue? I never got a warning on my old server in 4 years... Thinking something is configured differently on this new server that I either need to turn off or resolve. Any guidance is helpful.

 

[cPRex]

This would be up to CSF as they send those notifications, so there isn't much we can do on our end. More details on that can be found here:

https://support.cpanel.net/hc/en-us/articles/360052795894-CSF-says-that-packages-failed-the-md5sum-check

but basically it says to confirm the packages it warns about are the packages that have been updated.