FAILED the md5sum comparison test - how to know when updates occur?

jeffschips

Well-Known Member
Jun 5, 2016
212
22
68
new york
cPanel Access Level
Root Administrator
I am receiving pretty regular warnings from LFD/CSF that files fail integrity checks, sometimes after LFD has blocked ip's from foreign countries.

How does an admin tell when an update occurs in Cpanel/WHM so we can know if this warning is indeed related to an update?
 

jeffschips

Well-Known Member
Jun 5, 2016
212
22
68
new york
cPanel Access Level
Root Administrator
Thank you. Given that I have have the following critical messages, how does one verify if the listed failed md5sum files have been updated or modified by an update?

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated

Note that passwd has failed, a pretty critical file. If I search the most recent update log file for any of these listed files, none of them show up with grep:

/usr/bin/cpapi1: FAILED
/usr/bin/cpapi2: FAILED
/usr/bin/cpapi3: FAILED
/usr/bin/doveadm: FAILED
/usr/bin/doveconf: FAILED
/usr/bin/dsync: FAILED
/usr/bin/uapi: FAILED
/usr/sbin/dovecot: FAILED
/usr/sbin/whmapi0: FAILED
/usr/sbin/whmapi1: FAILED
/bin/cpapi1: FAILED
/bin/cpapi2: FAILED
/bin/cpapi3: FAILED
/bin/doveadm: FAILED
/bin/doveconf: FAILED
/bin/dsync: FAILED
/bin/uapi: FAILED
/sbin/dovecot: FAILED
/sbin/whmapi0: FAILED
/sbin/whmapi1: FAILED
/usr/local/bin/crontab: FAILED
/usr/local/bin/passwd: FAILED
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463

jeffschips

Well-Known Member
Jun 5, 2016
212
22
68
new york
cPanel Access Level
Root Administrator
1) So all of the above files listed as not passing tests have their dopplegangers at http://httpupdate.cpanel.net/cpanelsync/11.66.0.35/binaries/linux-c6-x86_64/
for my verion and OS which is CENTOS 7.5 kvm Version 72.0.5?

2) If //usr/local/cpanel/bin/jail_safe_passwd file (/bin/passwd is just a link to this file) is only a link could the link have changed to point somewhere else?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
1) So all of the above files listed as not passing tests have their dopplegangers at http://httpupdate.cpanel.net/cpanelsync/11.66.0.35/binaries/linux-c6-x86_64/
for my verion and OS which is CENTOS 7.5 kvm Version 72.0.5?
No, the URL will change depending on your OS and cPanel & WHM version. With that version of cPanel & WHM on CentOS 7, the mirror URL to use is:

Index of /cpanelsync/11.72.0.5/binaries/linux-c7-x86_64

Note that some of the files are included as part of archives, so you'd need to download them to a test directory and extract them if you want to manually compare the md5 checksums.

2) If //usr/local/cpanel/bin/jail_safe_passwd file (/bin/passwd is just a link to this file) is only a link could the link have changed to point somewhere else?
It's possible. You can verify that with a command like this:

Code:
ls -al /bin/passwd
Here's how it should look:

Code:
# ls -al /bin/passwd
lrwxrwxrwx 1 root root 38 May 30 15:23 /bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd
I can also confirm this file was modified upon the update to version 72.0.3 by searching at the cPanel update logs:

Code:
/var/cpanel/updatelogs/update.1528826671.log:[2018-06-12 18:06:50 +0000]   Retrieving and staging /cpanelsync/11.72.0.3/binaries/linux-c6-x86_64/bin/jail_safe_passwd.xz
/var/cpanel/updatelogs/update.1528826671.log:[2018-06-12 18:06:50 +0000]   Set permissions on /usr/local/cpanel/bin/jail_safe_passwd-cpanelsync to 0755
Thank you.
 

8p-design

Well-Known Member
Mar 25, 2006
48
1
158
I am wondering why there is not a script that can do this for us yet.
I find it quite stressful to receive these warnings a few times per week.

I ALWAYS wonder if it was the update that REALLY modify the file, or if it was made by ANOTHER process that took the "update window" opportunity to hack my system.

Why can't the work done on the suggested reply by the cpanel staff above, be made by a script?
 

Tsuna

Member
Jun 22, 2019
11
0
1
India
cPanel Access Level
Root Administrator
Bumping this, same issue and same concern here.

Why can't the work done on the suggested reply by the cpanel staff above, be made by a script?
Or at least, why cant the system check this and ONLY send alert if it wasn't panel that made those changes during update.

The point of a management panel is to reduce management work so we can focus on business growth(literally why current panel clients are here even after the price hike)
 

jstubs99

Registered
Jun 24, 2020
1
0
1
AU
cPanel Access Level
Root Administrator
Yes I agree, same issue today now I find myself troubleshooting something I shouldnt have to. My alert today looks like the following:

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/usr/bin/cpupower: FAILED
/usr/sbin/rsyslogd: FAILED
/bin/cpupower: FAILED
/sbin/rsyslogd: FAILED
Thanks