The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

LFD Warning

Discussion in 'Security' started by hrr1963, Feb 10, 2014.

  1. hrr1963

    hrr1963 Registered

    Joined:
    Feb 10, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have this new VPS, which I just finished setting up the other day. Today I received an email that upcp cron executed. Which is perfectly ok.

    Then 20 minutes later I received an lfd warnings, which is ok, because if system files updated, the md5 shouldn't match. What is rare is that I was not able to relate these changes to the cPanel update, went through the logs (maybe didn't saw it), so I'm posting it here, just in case anybody have more info:

    I think these are related to the PHP GD, again I was not able to see them in the log.

    Thanks

    ------------
    The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

    /usr/bin/annotate: FAILED
    /usr/bin/gd2copypal: FAILED
    /usr/bin/gd2togif: FAILED
    /usr/bin/gd2topng: FAILED
    /usr/bin/gdcmpgif: FAILED
    /usr/bin/gdparttopng: FAILED
    /usr/bin/gdtopng: FAILED
    /usr/bin/giftogd2: FAILED
    /usr/bin/pngtogd: FAILED
    /usr/bin/pngtogd2: FAILED
    /usr/bin/sxpm: FAILED
    /usr/bin/webpng: FAILED
    ---------------------------------
    Thanks
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Yes, these are related to GD. You can check /var/log/yum.log to see if the packages updated. In the future, if you're not sure what packages these files belong to, just use yum whatprovides, ie:

    yum whatprovides /usr/bin/webpng:

    gd-progs-2.0.35-11.el6.x86_64 : Utility programs that use libgd
     
  3. hrr1963

    hrr1963 Registered

    Joined:
    Feb 10, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you for your response. I'm not able to see in the upcp log any reference to a GD package updated. Maybe I'm overlooking something... ?

     
  4. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    It may have been a system package update, which will be executed during a cPanel update if you have that option selected in your update configuration. Did you check /var/log/yum.log as advised previously?
     
  5. hrr1963

    hrr1963 Registered

    Joined:
    Feb 10, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Yes, I was replying, but went to check some configuration. For example LF_integrity is set to 3600 sec, which means it should verify each hour at least.

    Knowing that...

    I did verify the yum log. I see updates entries for gd-progs and libX (sxpm) but those are from Feb 9 around 11PM.
    Then looking through the logs, lfd detected the above changes at : Feb 10 20:00:04, but I received a previous lfd warning regarding php at: Feb 10 01:00:07 , which was at the time of using EasyApache.

    Don't you think that , since every hour lfd is executed, I should at least received that list appended to the list of PHP or around that time?

    Basically a whole day passed and lfd didn't notice, that is what I found strange and concerning. Which lead me to question the validity of these files.
     
  6. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    I don't find it strange at all. I have dozens of clients that run LFD (and I ran it myself at one point), and we see this issue all the time. LFD doesn't check every binary on the server every time it runs - doing so would be incredibly resource expensive.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can always browse to "WHM Home » Server Configuration » Update Preferences" and modify the setting for "Operating System Package Updates" so that you run them manually. This might help you to verify that package updates through YUM only occur when you update them manually. However, it would be important that you update the packages on a regular basis.

    Thank you.
     
Loading...

Share This Page