keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
Guys. Could anyone offer advice on the message recieved this morning ?

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:
Code:
/usr/bin/prove: FAILED
/usr/bin/ptar: FAILED
/usr/bin/ptardiff: FAILED
/usr/bin/shasum: FAILED
- - - Updated - - -

and this ?
Code:
Dec  3 07:00:36 leeds lfd[1053]: *System Integrity* has detected modified file(s): /bin/crontab /bin/passwd /etc/init.d/fastmail
- - - Updated - - -

and this.
Code:
The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/bin/crontab: FAILED
/bin/passwd: FAILED
/etc/init.d/fastmail: FAILED
- - - Updated - - -

Maybe the server has done an update ??

Code:
/var/log/secure:
Dec  3 06:58:57 leeds atd[990]: pam_unix(atd:session): session opened for user root by (uid=0) Dec  3 06:58:57 leeds atd[990]: pam_unix(atd:session): session closed for user root

/usr/local/cpanel/logs/error_log:
This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
	 "/usr/local/cpanel/base/frontend/x3/branding/the_beach/heading_sprites_bg_snap_to_smallest_width.png".
This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
	 "/usr/local/cpanel/base/frontend/x3/branding/motor_city/ui_sprites_bg_snap_to_smallest_width.png".
This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
	 "/usr/local/cpanel/base/frontend/x3/branding/crimson_smoke/heading_sprites_bg_snap_to_smallest_width.png".
This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
	 "/usr/local/cpanel/base/frontend/x3mail/branding/the_beach/heading_sprites_bg_snap_to_smallest_width.png".
This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
	 "/usr/local/cpanel/base/frontend/x3mail/branding/motor_city/ui_sprites_bg_snap_to_smallest_width.png".
This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
	 "/usr/local/cpanel/base/frontend/x3mail/branding/crimson_smoke/heading_sprites_bg_snap_to_smallest_width.png".
[12/03/2014:06:39:10 -0000] info [cpsrvd] reloading config based on -HUP signal
[2014-12-03 06:39:21 +0000] warn [taskrun] Failed to open “/usr/local/cpanel/logs/easyapache†for chown(): No such file or directory at /usr/local/cpanel/Cpanel/SafetyBits/Chown.pm line 49
	Cpanel::SafetyBits::Chown::safe_chown(__CPANEL_HIDDEN__, -1, __CPANEL_HIDDEN__) called at /usr/local/cpanel/install/SecurityCheck.pm line 94
	Install::SecurityCheck::_secure_files() called at /usr/local/cpanel/install/SecurityCheck.pm line 208
	Install::SecurityCheck::perform(Install::SecurityCheck=HASH(0x33062f8)) called at /usr/local/cpanel/bin/taskrun line 318
	eval {...} called at /usr/local/cpanel/bin/taskrun line 318
	Bin::TaskRun::perform(Install::SecurityCheck=HASH(0x33062f8)) called at /usr/local/cpanel/bin/taskrun line 335
	Bin::TaskRun::perform_task(Install::SecurityCheck=HASH(0x33062f8), HASH(0x23384f8), undef) called at /usr/local/cpanel/bin/taskrun line 378
	Bin::TaskRun::verify_and_perform_task(Install::SecurityCheck=HASH(0x33062f8), Cpanel::CPAN::Algorithm::Dependency::Ordered=HASH(0x4f23a70), HASH(0x23384f8), undef) called at /usr/local/cpanel/bin/taskrun line 552
	Bin::TaskRun::_main('Bin::TaskRun', undef, 'no_deps', undef, 'pbar-stop', 90, 'pbar-start', 80, 'debug', undef, 'dry', undef, 'log_file', '/var/cpanel/updatelogs/update.1417583521.log', 'force', undef, 'targets', undef, 'script', 1) called at /usr/local/cpanel/bin/taskrun line 167
	Bin::TaskRun::run('argv', ARRAY(0x1f1a398)) called at /usr/local/cpanel/bin/taskrun line 145
[2014-12-03 06:39:38 +0000] warn [apache_conf_distiller] Unable to determine domain xxx.xxx.xxx.xx ownership. Attempting lookup on domain 171.221.31 (manually added domain). at /usr/local/cpanel/bin/apache_conf_distiller line 1317
	ApacheConfDistiller::run('--update', '--verbose') called at /usr/local/cpanel/bin/apache_conf_distiller line 1936
[2014-12-03 06:39:38 +0000] warn [apache_conf_distiller] Unable to determine domain xxx.xxx.xxx.xx ownership. Setting user to 'nobody'. at /usr/local/cpanel/bin/apache_conf_distiller line 1322
	ApacheConfDistiller::run('--update', '--verbose') called at /usr/local/cpanel/bin/apache_conf_distiller line 1936
[2014-12-03 06:39:40 +0000] die [realadduser] User cpanel already exists
[2014-12-03 06:39:40 +0000] die [realadduser] User ftp already exists patching file config.sample.inc.php patching file libraries/common.inc.php patching file libraries/session.inc.php patching file index.php Hunk #1 succeeded at 469 (offset 2 lines).
Hunk #2 succeeded at 500 with fuzz 2 (offset 5 lines).
patching file libraries/server_privileges.lib.php
patching file server_privileges.php
patching file libraries/plugins/auth/AuthenticationHttp.class.php
patching file db_operations.php
Hunk #2 succeeded at 256 (offset 1 line).
patching file libraries/operations.lib.php patching file config.sample.inc.php patching file libraries/navigation/NavigationHeader.class.php
patching file libraries/plugins/auth/AuthenticationCpanel.class.php
patching file libraries/operations.lib.php patching file libraries/plugins/auth/AuthenticationCookie.class.php
patching file libraries/plugins/auth/AuthenticationCpanel.class.php
patching file libraries/DisplayResults.class.php
patching file config.sample.inc.php
patching file libraries/server_privileges.lib.php
patching file import.php
patching file libraries/Menu.class.php
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello :)

You can review the log files in the /var/cpanel/updatelogs directory to see if any packages were updating during the last cPanel update.

Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
I'm away from the office for a few days. However I got another one this morning.

****Log opened from cPanel Update (upcp) - Slave (27193) at Thu Dec**** 4****05:12:01****2014
[20141204.051201]******** Detected cron=1 (cron mode set from command line)
[20141204.051201]******** 1% complete
[20141204.051201]******** Running Standardized hooks
[20141204.051201]******** 2% complete
[20141204.051201]******** mtime on upcp is****1416318445(Tue Nov 18****13:47:25****2014)

followed by a list longer than both mine and your arms.

Paranoid
 

paraday

Registered
Dec 4, 2014
3
0
1
cPanel Access Level
Root Administrator
I get similar messages quite often, and even looking at the (huge) update logs does not convince me the changes are legitimate.

So if I look into last night's log, which triggered the warning for me, I can only see these related to e.g. crontab:

Retrieving and staging /cpanelsync/11.46.0.19/binaries/linux-c6-i386/bin/jail_safe_crontab.bz2
Set permissions on /usr/local/cpanel/bin/jail_safe_crontab-cpanelsync to 0755

Does this indicate that crontab was updated?
I have hundreds of lines like these in the log, concerning other programs, but I didn't get a checksum fail for those. That's why I'm relactant to think that this is ok.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
You should also review /var/log/yum.log as cPanelPeter mentioned to see if your system packages were updated.

Retrieving and staging /cpanelsync/11.46.0.19/binaries/linux-c6-i386/bin/jail_safe_crontab.bz2
Set permissions on /usr/local/cpanel/bin/jail_safe_crontab-cpanelsync to 0755

Does this indicate that crontab was updated?
It indicates the /usr/local/cpanel/bin/jail_safe_crontab file was retrieved from our update servers.

Thank you.
 

paraday

Registered
Dec 4, 2014
3
0
1
cPanel Access Level
Root Administrator
You should also review /var/log/yum.log as cPanelPeter mentioned to see if your system packages were updated.



It indicates the /usr/local/cpanel/bin/jail_safe_crontab file was retrieved from our update servers.

Thank you.
Thanks. I forgot to mention that I always look at yum.log but I usually only find some of the updated items there.


So, today I got a new mail about these:
Code:
/usr/bin/certutil: FAILED
/usr/bin/cmsutil: FAILED
/usr/bin/crlutil: FAILED
/usr/bin/modutil: FAILED
/usr/bin/pk12util: FAILED
/usr/bin/signtool: FAILED
/usr/bin/signver: FAILED
/usr/bin/ssltap: FAILED
/bin/passwd: FAILED
And I can only find references to passwd in cpanel's update log.
And these in yum.log:
Code:
Dec 04 23:14:24 Updated: nss-util-3.16.2.3-2.el6_6.i686
Dec 04 23:14:25 Updated: nss-sysinit-3.16.2.3-3.el6_6.i686
Dec 04 23:14:26 Updated: nss-3.16.2.3-3.el6_6.i686
Dec 04 23:14:27 Updated: nss-tools-3.16.2.3-3.el6_6.i686
Is there another way I should be searching with?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
You may want to consult with a qualified system administrator or security specialist if you are concerned about the security of your server. While it's likely a false positive, there's no way to determine if you have been hacked or not based on the output that you have provided.

Thank you.
 

paraday

Registered
Dec 4, 2014
3
0
1
cPanel Access Level
Root Administrator
You may want to consult with a qualified system administrator or security specialist if you are concerned about the security of your server. While it's likely a false positive, there's no way to determine if you have been hacked or not based on the output that you have provided.

Thank you.
Will do thanks