The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Questions about cPanel Updates and CSF integrity checks.

Discussion in 'Security' started by Spork Schivago, Feb 11, 2016.

  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    269
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Hello,

    I have a quick question. Last night cPanel got updated and I got the following message from ConfigServer Firewall's LFD program:
    Code:
    The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:
    
    /usr/bin/innochecksum: FAILED
    /usr/bin/myisamchk: FAILED
    /usr/bin/myisam_ftdump: FAILED
    /usr/bin/myisamlog: FAILED
    /usr/bin/myisampack: FAILED
    /usr/bin/my_print_defaults: FAILED
    /usr/bin/mysql: FAILED
    /usr/bin/mysqladmin: FAILED
    /usr/bin/mysqlbinlog: FAILED
    /usr/bin/mysqlbug: FAILED
    /usr/bin/mysqlcheck: FAILED
    /usr/bin/mysql_client_test: FAILED
    /usr/bin/mysql_config: FAILED
    /usr/bin/mysqldump: FAILED
    /usr/bin/mysqlimport: FAILED
    /usr/bin/mysql_plugin: FAILED
    /usr/bin/mysqlshow: FAILED
    /usr/bin/mysqlslap: FAILED
    /usr/bin/mysqltest: FAILED
    /usr/bin/mysql_tzinfo_to_sql: FAILED
    /usr/bin/mysql_upgrade: FAILED
    /usr/bin/mysql_waitpid: FAILED
    /usr/bin/perror: FAILED
    /usr/bin/replace: FAILED
    /usr/bin/resolveip: FAILED
    /usr/bin/resolve_stack_dump: FAILED
    /usr/sbin/mysqld: FAILED
    /usr/sbin/mysqld-debug: FAILED
    /bin/passwd: FAILED
    
    I get a message similar to this every time cPanel updates. My guess is cPanel is updating these files. If my suspicions are correct, is there away to see what files cPanel updates so I can make sure some hacker hasn't replaced those files with malicious ones? Thanks!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    269
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Thank you cPanelMichael! I didn't even have to tell you what OS I was running and you knew my package manager was yum!

    Do you know of a way for me to use yum to see what package certain files belong to? The log file shows what packages were updated, but not what files in those packages were updated.

    For example, lfd shows /usr/bin/innochecksum changed. But /var/log/yum.log doesn't list innochecksum. I tried using:
    Code:
    rpm -qf /usr/bin/innochecksum
    
    and that shows innochecksum belongs to: MySQL55-server-5.5.48-1.cp1148.x86_64

    However, when I type:
    Code:
    cat /var/log/yum.log | grep -i "mysql"
    
    I get nothing. When I type:
    Code:
    cat /var/log/yum.log
    
    I can see only 6 packages were either installed or updated last night.
    Code:
    Feb 10 00:59:34 Updated: chkconfig-1.3.49.3-5.el6_7.2.x86_64
    Feb 10 00:59:34 Updated: ntsysv-1.3.49.3-5.el6_7.2.x86_64
    Feb 10 00:59:35 Updated: tzdata-2016a-2.el6.noarch
    Feb 10 12:27:33 Updated: kernel-headers-2.6.32-573.18.1.el6.x86_64
    Feb 10 12:27:41 Installed: kernel-devel-2.6.32-573.18.1.el6.x86_64
    Feb 10 12:27:43 Updated: initscripts-9.03.49-1.el6.centos.4.x86_64
    
    None of them seem to have anything to do with MySQL55-server-5.5.48-1.cp1148.x86_64. Does this mean someone might of gotten into my server?

    Also,
    Code:
    rpm -qf /bin/passwd
    shows /bin/passwd doesn't belong to any packages...yet /bin/passwd was changed last night. It has me worried. Thanks!
     
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    269
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    /bin/passwd is a symbolic link to /usr/local/cpanel/bin/jail_safe_passwd. However, rpm -qf /usr/local/cpanel/bin/jail_safe_passwd and yum provides /usr/local/cpanel/bin/jail_safe_passwd show that the file doesn't belong to any packages.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You also have to account for any RPM changes that stem from cPanel updates (e.g. MySQL updates). You can review the cPanel update logs in the following directory:

    /var/cpanel/updatelogs

    Thank you.
     
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I see things like this quite frequently, even though I have most updates set for manual, some automatic updates still occur.

    If you scroll through the CSF email logs, you should see an entry for YUM.

    If I see any files failing, I usually quickly scroll through the log to find the YUM occurance.
    It's always at the same time of day, so if i see YUM has been working i don't worry.
     
    Spork Schivago and ElviCities like this.
  7. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    269
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Thank you guys!
     
Loading...

Share This Page