LFD keeps failing, now I see that /usr/sbin/csf and lfd have been modified

GoWilkes

Well-Known Member
Sep 26, 2006
499
12
168
cPanel Access Level
Root Administrator
For the last couple of days I've been getting a TON of emails that lfd has failed. I had a cracker upload a backdoor script on 10/7/20 that I thought was fixed, but maybe I was wrong. I'm running WHM / cPanel v.86.0.29 because I'm still using MySQL 5.5, and no one responded on whether there is any risk to updating and I can't really risk losing everything.

Anyway.

I installed ClamAV but never received any reports, so I honestly don't know if it found or fixed anything.

I also ran rkhunter, v. 1.4.2. It didn't find any rootkits, but I did have a few warnings *.

I restarted CSF, and then in /var/log/lfd I see:

Code:
Oct 20 19:39:07 [SERVER] lfd[25196]: *System Integrity* has detected modified file(s): /usr/sbin/csf /usr/sbin/lfd
Oct 20 19:40:22 [SERVER] lfd[25389]: Directory Watching terminated after 16 seconds
Oct 20 19:40:22 [SERVER] lfd[25389]: LF_DIRWATCH taking 16 seconds, temporarily throttled to run every 180 seconds
Then looking at /usr/sbin/csf and /usr/sbin/lfd, I see both were modified on 10/19/20, 5:33:06pm EST.

Can anyone suggest whether the filesizes are wrong? /csf is 243,240, and /lfd is 390,948.


* rkhunter warnings:

Code:
Performing file properties checks
    /sbin/ifdown                                             [ Warning ]
    /sbin/ifup                                               [ Warning ]
    /usr/bin/GET                                             [ Warning ]
    /usr/bin/ldd                                             [ Warning ]
    /usr/bin/whatis                                          [ Warning ]

Performing group and account checks
    Checking for passwd file changes                         [ Warning ]
    Checking for group file changes                          [ Warning ]

  Performing system configuration file checks
    Checking if SSH root access is allowed                   [ Warning ]

  Performing filesystem checks
    Checking /dev for suspicious file types                  [ Warning ]
    Checking for hidden files and directories                [ Warning ]
The log file said that each of those file properties had been replaced by a script, so I think they're irrelevant. The log also showed no warning for passwd and group, so I don't know what's up with that. And SSH root access is expected, as I do have it allowed.

But the filesystem checks, I don't know. Should I be c oncerned?

Code:
[03:16:20] Info: Starting test name 'passwd_changes'
[03:16:21]   Checking for passwd file changes                [ None found ]
[03:16:21]
[03:16:21] Info: Starting test name 'group_changes'
[03:16:21]   Checking for group file changes                 [ None found ]

[03:16:51]   Checking /dev for suspicious file types         [ Warning ]
[03:16:52] Warning: Suspicious file types found in /dev:
[03:16:52]          /dev/.udev/queue.bin: data
[03:16:52]          /dev/.udev/db/block:loop0: ASCII text
[03:16:52]          /dev/.udev/db/block:xvda1: ASCII text
[03:16:53]          /dev/.udev/db/block:xvda2: ASCII text
[03:16:53]          /dev/.udev/db/block:xvda: ASCII text
[03:16:53]          /dev/.udev/db/input:event0: ASCII text
[03:16:54]          /dev/.udev/db/block:xvdb1: ASCII text
[03:16:54]          /dev/.udev/db/block:ram9: ASCII text
[03:16:54]          /dev/.udev/db/block:ram7: ASCII text
[03:16:54]          /dev/.udev/db/block:ram8: ASCII text
[03:16:55]          /dev/.udev/db/block:ram6: ASCII text
[03:16:55]          /dev/.udev/db/block:ram5: ASCII text
[03:16:55]          /dev/.udev/db/block:ram2: ASCII text
[03:16:56]          /dev/.udev/db/block:ram14: ASCII text
[03:16:56]          /dev/.udev/db/block:ram15: ASCII text
[03:16:56]          /dev/.udev/db/block:ram10: ASCII text
[03:16:56]          /dev/.udev/db/block:ram11: ASCII text
[03:16:57]          /dev/.udev/db/block:ram4: ASCII text
[03:16:57]          /dev/.udev/db/block:ram3: ASCII text
[03:16:57]          /dev/.udev/db/block:ram12: ASCII text
[03:16:58]          /dev/.udev/db/block:ram13: ASCII text
[03:16:58]          /dev/.udev/db/block:ram1: ASCII text
[03:16:58]          /dev/.udev/db/block:xvdb: ASCII text
[03:16:59]          /dev/.udev/db/block:loop6: ASCII text
[03:16:59]          /dev/.udev/db/block:loop7: ASCII text
[03:16:59]          /dev/.udev/db/block:loop4: ASCII text
[03:17:00]          /dev/.udev/db/block:ram0: ASCII text
[03:17:00]          /dev/.udev/db/block:loop3: ASCII text
[03:17:00]          /dev/.udev/db/block:loop5: ASCII text
[03:17:00]          /dev/.udev/db/block:loop2: ASCII text
[03:17:01]          /dev/.udev/db/block:loop1: ASCII text
[03:17:01]          /dev/.udev/rules.d/99-root.rules: ASCII text

[03:17:03]   Checking for hidden files and directories       [ Warning ]
[03:17:03] Warning: Hidden directory found: /dev/.mdadm
[03:17:04] Warning: Hidden directory found: /dev/.udev
[03:17:04] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[03:17:04] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[03:17:05] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[03:17:05] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[03:17:05] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[03:17:05] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
 

keat63

Well-Known Member
Nov 20, 2014
1,847
222
93
cPanel Access Level
Root Administrator
on my server those file sizes are

csf = 237.50k - 19.10.20 @ 22:02:03
lfd = 381.9k - 19.10.20 @ 22:02:03

I'm on CSF version 14.06
 

andrew.n

Well-Known Member
Jun 9, 2020
328
70
28
EU
cPanel Access Level
Root Administrator
When CSF/LFD is updated you might get those false alerts however ConfigServer support would be able to confirm the sizes and md5 hashes to make sure it was not modified. If the server is hacked though the recommended and safest is to reinstall it and start from scratch.
 

rscalover

Active Member
Dec 16, 2010
31
2
58
Hello,

Have you enabled automatic csf update ? in that case it is normal the software is modified when csf is auto updated you'll also get an email from cron however if your server is comprimised it's time to take a decision and reinstall it or you could contact configserver the authors of csf .