The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Some files failed MD5

Discussion in 'General Discussion' started by keat63, Dec 3, 2014.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Guys. Could anyone offer advice on the message recieved this morning ?

    The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:
    Code:
    /usr/bin/prove: FAILED
    /usr/bin/ptar: FAILED
    /usr/bin/ptardiff: FAILED
    /usr/bin/shasum: FAILED
    - - - Updated - - -

    and this ?
    Code:
    Dec  3 07:00:36 leeds lfd[1053]: *System Integrity* has detected modified file(s): /bin/crontab /bin/passwd /etc/init.d/fastmail
    - - - Updated - - -

    and this.
    Code:
    The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:
    
    /bin/crontab: FAILED
    /bin/passwd: FAILED
    /etc/init.d/fastmail: FAILED
    - - - Updated - - -

    Maybe the server has done an update ??

    Code:
    /var/log/secure:
    Dec  3 06:58:57 leeds atd[990]: pam_unix(atd:session): session opened for user root by (uid=0) Dec  3 06:58:57 leeds atd[990]: pam_unix(atd:session): session closed for user root
    
    /usr/local/cpanel/logs/error_log:
    This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
    	 "/usr/local/cpanel/base/frontend/x3/branding/the_beach/heading_sprites_bg_snap_to_smallest_width.png".
    This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
    	 "/usr/local/cpanel/base/frontend/x3/branding/motor_city/ui_sprites_bg_snap_to_smallest_width.png".
    This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
    	 "/usr/local/cpanel/base/frontend/x3/branding/crimson_smoke/heading_sprites_bg_snap_to_smallest_width.png".
    This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
    	 "/usr/local/cpanel/base/frontend/x3mail/branding/the_beach/heading_sprites_bg_snap_to_smallest_width.png".
    This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
    	 "/usr/local/cpanel/base/frontend/x3mail/branding/motor_city/ui_sprites_bg_snap_to_smallest_width.png".
    This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
    	 "/usr/local/cpanel/base/frontend/x3mail/branding/crimson_smoke/heading_sprites_bg_snap_to_smallest_width.png".
    [12/03/2014:06:39:10 -0000] info [cpsrvd] reloading config based on -HUP signal
    [2014-12-03 06:39:21 +0000] warn [taskrun] Failed to open “/usr/local/cpanel/logs/easyapache†for chown(): No such file or directory at /usr/local/cpanel/Cpanel/SafetyBits/Chown.pm line 49
    	Cpanel::SafetyBits::Chown::safe_chown(__CPANEL_HIDDEN__, -1, __CPANEL_HIDDEN__) called at /usr/local/cpanel/install/SecurityCheck.pm line 94
    	Install::SecurityCheck::_secure_files() called at /usr/local/cpanel/install/SecurityCheck.pm line 208
    	Install::SecurityCheck::perform(Install::SecurityCheck=HASH(0x33062f8)) called at /usr/local/cpanel/bin/taskrun line 318
    	eval {...} called at /usr/local/cpanel/bin/taskrun line 318
    	Bin::TaskRun::perform(Install::SecurityCheck=HASH(0x33062f8)) called at /usr/local/cpanel/bin/taskrun line 335
    	Bin::TaskRun::perform_task(Install::SecurityCheck=HASH(0x33062f8), HASH(0x23384f8), undef) called at /usr/local/cpanel/bin/taskrun line 378
    	Bin::TaskRun::verify_and_perform_task(Install::SecurityCheck=HASH(0x33062f8), Cpanel::CPAN::Algorithm::Dependency::Ordered=HASH(0x4f23a70), HASH(0x23384f8), undef) called at /usr/local/cpanel/bin/taskrun line 552
    	Bin::TaskRun::_main('Bin::TaskRun', undef, 'no_deps', undef, 'pbar-stop', 90, 'pbar-start', 80, 'debug', undef, 'dry', undef, 'log_file', '/var/cpanel/updatelogs/update.1417583521.log', 'force', undef, 'targets', undef, 'script', 1) called at /usr/local/cpanel/bin/taskrun line 167
    	Bin::TaskRun::run('argv', ARRAY(0x1f1a398)) called at /usr/local/cpanel/bin/taskrun line 145
    [2014-12-03 06:39:38 +0000] warn [apache_conf_distiller] Unable to determine domain xxx.xxx.xxx.xx ownership. Attempting lookup on domain 171.221.31 (manually added domain). at /usr/local/cpanel/bin/apache_conf_distiller line 1317
    	ApacheConfDistiller::run('--update', '--verbose') called at /usr/local/cpanel/bin/apache_conf_distiller line 1936
    [2014-12-03 06:39:38 +0000] warn [apache_conf_distiller] Unable to determine domain xxx.xxx.xxx.xx ownership. Setting user to 'nobody'. at /usr/local/cpanel/bin/apache_conf_distiller line 1322
    	ApacheConfDistiller::run('--update', '--verbose') called at /usr/local/cpanel/bin/apache_conf_distiller line 1936
    [2014-12-03 06:39:40 +0000] die [realadduser] User cpanel already exists
    [2014-12-03 06:39:40 +0000] die [realadduser] User ftp already exists patching file config.sample.inc.php patching file libraries/common.inc.php patching file libraries/session.inc.php patching file index.php Hunk #1 succeeded at 469 (offset 2 lines).
    Hunk #2 succeeded at 500 with fuzz 2 (offset 5 lines).
    patching file libraries/server_privileges.lib.php
    patching file server_privileges.php
    patching file libraries/plugins/auth/AuthenticationHttp.class.php
    patching file db_operations.php
    Hunk #2 succeeded at 256 (offset 1 line).
    patching file libraries/operations.lib.php patching file config.sample.inc.php patching file libraries/navigation/NavigationHeader.class.php
    patching file libraries/plugins/auth/AuthenticationCpanel.class.php
    patching file libraries/operations.lib.php patching file libraries/plugins/auth/AuthenticationCookie.class.php
    patching file libraries/plugins/auth/AuthenticationCpanel.class.php
    patching file libraries/DisplayResults.class.php
    patching file config.sample.inc.php
    patching file libraries/server_privileges.lib.php
    patching file import.php
    patching file libraries/Menu.class.php
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can review the log files in the /var/cpanel/updatelogs directory to see if any packages were updating during the last cPanel update.

    Thank you.
     
  3. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    You may also want to check the /var/log/yum.log file for updates to those packages.
     
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I'm away from the office for a few days. However I got another one this morning.

    ****Log opened from cPanel Update (upcp) - Slave (27193) at Thu Dec**** 4****05:12:01****2014
    [20141204.051201]******** Detected cron=1 (cron mode set from command line)
    [20141204.051201]******** 1% complete
    [20141204.051201]******** Running Standardized hooks
    [20141204.051201]******** 2% complete
    [20141204.051201]******** mtime on upcp is****1416318445(Tue Nov 18****13:47:25****2014)

    followed by a list longer than both mine and your arms.

    Paranoid
     
  5. paraday

    paraday Registered

    Joined:
    Dec 4, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I get similar messages quite often, and even looking at the (huge) update logs does not convince me the changes are legitimate.

    So if I look into last night's log, which triggered the warning for me, I can only see these related to e.g. crontab:

    Retrieving and staging /cpanelsync/11.46.0.19/binaries/linux-c6-i386/bin/jail_safe_crontab.bz2
    Set permissions on /usr/local/cpanel/bin/jail_safe_crontab-cpanelsync to 0755

    Does this indicate that crontab was updated?
    I have hundreds of lines like these in the log, concerning other programs, but I didn't get a checksum fail for those. That's why I'm relactant to think that this is ok.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You should also review /var/log/yum.log as cPanelPeter mentioned to see if your system packages were updated.

    It indicates the /usr/local/cpanel/bin/jail_safe_crontab file was retrieved from our update servers.

    Thank you.
     
  7. paraday

    paraday Registered

    Joined:
    Dec 4, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks. I forgot to mention that I always look at yum.log but I usually only find some of the updated items there.


    So, today I got a new mail about these:
    Code:
    /usr/bin/certutil: FAILED
    /usr/bin/cmsutil: FAILED
    /usr/bin/crlutil: FAILED
    /usr/bin/modutil: FAILED
    /usr/bin/pk12util: FAILED
    /usr/bin/signtool: FAILED
    /usr/bin/signver: FAILED
    /usr/bin/ssltap: FAILED
    /bin/passwd: FAILED
    And I can only find references to passwd in cpanel's update log.
    And these in yum.log:
    Code:
    Dec 04 23:14:24 Updated: nss-util-3.16.2.3-2.el6_6.i686
    Dec 04 23:14:25 Updated: nss-sysinit-3.16.2.3-3.el6_6.i686
    Dec 04 23:14:26 Updated: nss-3.16.2.3-3.el6_6.i686
    Dec 04 23:14:27 Updated: nss-tools-3.16.2.3-3.el6_6.i686
    Is there another way I should be searching with?
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may want to consult with a qualified system administrator or security specialist if you are concerned about the security of your server. While it's likely a false positive, there's no way to determine if you have been hacked or not based on the output that you have provided.

    Thank you.
     
  9. paraday

    paraday Registered

    Joined:
    Dec 4, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Will do thanks
     
Loading...

Share This Page