The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

LFD detecting MD5 checksum errors on sys files

Discussion in 'General Discussion' started by cmajkrzak, Nov 28, 2007.

  1. cmajkrzak

    cmajkrzak Member

    Joined:
    Dec 28, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    For the past 4-5 days, LFD has been e-mailing me, saying nearly every file in /usr/bin/ and /usr/sbin /bin/ has failed the last MD5 last checksum. I did see in my back log of emails, the server is a small update, but I've gotten pages of files between all the emails so far.

    Here are some examples:
    Code:
    /usr/bin/chage: FAILED
    /usr/bin/faillog: FAILED
    /usr/bin/fetchmail: FAILED
    /usr/bin/gdb: FAILED
    /usr/bin/gdbserver: FAILED
    /usr/bin/gdbtui: FAILED
    /usr/bin/ghostscript: FAILED
    /usr/bin/gpasswd: FAILED
    /usr/bin/gs: FAILED
    /usr/bin/ksh: FAILED
    /usr/bin/lastlog: FAILED
    /usr/bin/pdksh: FAILED
    /usr/bin/sg: FAILED
    /usr/sbin/adduser: FAILED
    /usr/sbin/alternatives: FAILED
    /usr/sbin/chpasswd: FAILED
    /usr/sbin/groupadd: FAILED
    /usr/sbin/groupdel: FAILED
    /usr/sbin/groupmod: FAILED
    /usr/sbin/grpck: FAILED
    /usr/sbin/grpconv: FAILED
    /usr/sbin/grpunconv: FAILED
    /usr/sbin/imapd: FAILED
    /usr/sbin/ipop2d: FAILED
    /usr/sbin/ipop3d: FAILED
    /usr/sbin/newusers: FAILED
    /usr/sbin/nfsstat: FAILED
    /usr/sbin/ntsysv: FAILED
    /usr/sbin/pwck: FAILED
    /usr/sbin/pwconv: FAILED
    /usr/sbin/pwunconv: FAILED
    /usr/sbin/rtacct: FAILED
    /usr/sbin/update-alternatives: FAILED
    /usr/sbin/useradd: FAILED
    /usr/sbin/userdel: FAILED
    /usr/sbin/usermod: FAILED
    /bin/ksh: FAILED
    /sbin/chkconfig: FAILED
    /sbin/fxload: FAILED
    /sbin/ip: FAILED
    /sbin/rtmon: FAILED
    /sbin/tc: FAILED
    
    /usr/bin/magicfilter-t: FAILED
    /usr/bin/net-snmp-config: FAILED
    /usr/bin/ntpstat: FAILED
    /usr/bin/python: FAILED
    /usr/bin/python2: FAILED
    /usr/bin/python2.2: FAILED
    /usr/bin/quota: FAILED
    /usr/bin/sasl2-sample-client: FAILED
    /usr/bin/sasl2-sample-server: FAILED
    /usr/bin/sasl-sample-client: FAILED
    /usr/bin/sasl-sample-server: FAILED
    /usr/sbin/automount: FAILED
    /usr/sbin/callback: FAILED
    /usr/sbin/dbconverter-2: FAILED
    /usr/sbin/edquota: FAILED
    /usr/sbin/ntpd: FAILED
    /usr/sbin/ntpdate: FAILED
    /usr/sbin/ntpdc: FAILED
    /usr/sbin/ntp-genkeys: FAILED
    /usr/sbin/ntpq: FAILED
    /usr/sbin/ntptime: FAILED
    /usr/sbin/ntptimeset: FAILED
    /usr/sbin/ntptrace: FAILED
    /usr/sbin/quotastats: FAILED
    /usr/sbin/repquota: FAILED
    /usr/sbin/rpc.rquotad: FAILED
    /usr/sbin/saslauthd: FAILED
    /usr/sbin/sasldblistusers: FAILED
    /usr/sbin/sasldblistusers2: FAILED
    /usr/sbin/saslpasswd: FAILED
    /usr/sbin/saslpasswd2: FAILED
    /usr/sbin/setquota: FAILED
    /usr/sbin/snmpd: FAILED
    /usr/sbin/snmptrapd: FAILED
    /usr/sbin/squid: FAILED
    /usr/sbin/testsaslauthd: FAILED
    /usr/sbin/tickadj: FAILED
    /usr/sbin/warnquota: FAILED
    /bin/sed: FAILED
    /sbin/arytst: FAILED
    /sbin/convertquota: FAILED
    /sbin/detect_multipath: FAILED
    /sbin/lsraid: FAILED
    /sbin/mgetty: FAILED
    /sbin/mkraid: FAILED
    /sbin/quotacheck: FAILED
    /sbin/quotaoff: FAILED
    /sbin/quotaon: FAILED
    /sbin/raid0run: FAILED
    /sbin/raidhotadd: FAILED
    /sbin/raidhotremove: FAILED
    /sbin/raidreconf: FAILED
    /sbin/raidsetfaulty: FAILED
    /sbin/raidstart: FAILED
    /sbin/raidstop: FAILED
    /sbin/ypbind: FAILED
    /etc/init.d/autofs: FAILED
    /etc/init.d/ntpd: FAILED
    
    /usr/bin/ac: FAILED
    /usr/bin/lastcomm: FAILED
    /usr/bin/rcp: FAILED
    /usr/bin/rexec: FAILED
    /usr/bin/rlogin: FAILED
    /usr/bin/rsh: FAILED
    /usr/sbin/accton: FAILED
    /usr/sbin/dump-acct: FAILED
    /usr/sbin/dump-utmp: FAILED
    /usr/sbin/sa: FAILED
    /sbin/accton: FAILED
    
    /usr/bin/formail: FAILED
    /usr/bin/lockfile: FAILED
    /usr/bin/net: FAILED
    /usr/bin/nmblookup: FAILED
    /usr/bin/ntlm_auth: FAILED
    /usr/bin/pdbedit: FAILED
    /usr/bin/procmail: FAILED
    /usr/bin/profiles: FAILED
    /usr/bin/rpcclient: FAILED
    /usr/bin/smbcacls: FAILED
    /usr/bin/smbclient: FAILED
    /usr/bin/smbcontrol: FAILED
    /usr/bin/smbcquotas: FAILED
    /usr/bin/smbmnt: FAILED
    /usr/bin/smbmount: FAILED
    /usr/bin/smbpasswd: FAILED
    /usr/bin/smbspool: FAILED
    /usr/bin/smbstatus: FAILED
    /usr/bin/smbtree: FAILED
    /usr/bin/smbumount: FAILED
    /usr/bin/tdbbackup: FAILED
    /usr/bin/tdbdump: FAILED
    /usr/bin/tdbtool: FAILED
    /usr/bin/testparm: FAILED
    /usr/bin/testprns: FAILED
    /usr/bin/wbinfo: FAILED
    /usr/sbin/nmbd: FAILED
    /usr/sbin/smbd: FAILED
    /usr/sbin/winbindd: FAILED
    /sbin/mount.smb: FAILED
    /sbin/mount.smbfs: FAILED
    
    /usr/bin/star: FAILED
    /usr/bin/ustar: FAILED
    
    

    Running rkhunter I get the following:
    Code:
    [09:26:35] Performing filesystem checks
    [09:26:35] Info: Starting test name 'filesystem'
    [09:26:35] Info: SCAN_MODE_DEV set to 'THOROUGH'
    [09:35:58]   Checking /dev for suspicious file types         [ Warning ]
    [09:35:58] Warning: Suspicious file types found in /dev:
    [09:35:58]          /dev/MAKEDEV: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynami$
    [09:35:59]   Checking for hidden files and directories       [ None found ]
    [09:35:59]
    [09:35:59] Info: Test 'apps' disabled at users request.
    [09:35:59]
    [09:35:59] System checks summary
    [09:35:59] =====================
    [09:35:59]
    [09:35:59] File properties checks...
    [09:35:59] Files checked: 132
    [09:35:59] Suspect files: 0
    [09:35:59]
    [09:35:59] Rootkit checks...
    [09:35:59] Rootkits checked : 114
    [09:35:59] Possible rootkits: 0
    
    chkroot

    Code:
    INFECTED (PORTS:  465 6667)
    
    I've checked both ports, all is normal there.

    Am I worried for nothing here? If so is there any way to get LFD to get the checksums fixed up?

    Many thanks in advance.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
Loading...

Share This Page