The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

System integrity check ... /usr/bin/cpan

Discussion in 'Security' started by Routes, Aug 11, 2016.

  1. Routes

    Routes Registered

    Joined:
    Aug 5, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Austria
    cPanel Access Level:
    Root Administrator
    Hi,

    I just did a complete fresh VPS setup / CPanel install and just got the message from security integrity checked that a file has changed, and it is /usr/bin/cpan ... /bin/cpan

    I downloaded latest version of cpanel the file has a change timestamp of about 2 hours after install, same as cpan-mirrors, MD5 is applied.

    Anybody had this with cpanel already??

    -r-xr-xr-x 1 root root 4288 Aug 11 21:25 cpan-mirrors
    -r-xr-xr-x 1 root root 8019 Aug 11 21:25 cpan

    md5sum cpan
    4eea975e3f226a334735154556434fe1 cpan

    Thanks,
    Routes

    cannot edit my original post the file timestamp is pretty much install timestamp, I forgot that I made some break between setting up the machine and cpanel install, sorry
     
    #1 Routes, Aug 11, 2016
    Last edited by a moderator: Aug 11, 2016
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Whats the question exactly? Do you have CSF installed and thats what sent the email out?
     
  3. Routes

    Routes Registered

    Joined:
    Aug 5, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Austria
    cPanel Access Level:
    Root Administrator
    CSF is installed, yes. LFD sent out the message, but I never had that in an install before that /usr/bin/cpan was affected
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Please let us know the output from the following commands and we can verify if the MD5 checksum you provided matches what's on our mirrors:

    Code:
    arch
    cat /etc/redhat-release
    cat /usr/local/cpanel/version
    Thank you.
     
  5. Routes

    Routes Registered

    Joined:
    Aug 5, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Austria
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    [root@22951 routes]# arch
    x86_64
    [root@22951 routes]# cat /etc/redhat-release
    CentOS Linux release 7.2.1511 (Core)
    [root@22951 routes]# cat /usr/local/cpanel/version
    11.58.0.19

    But the Md5sum won't fit for sure. This is a ticket already... and it's a very long ticket until now...
    The cpan version should be 1.98, it is while installed, but after about 1 hour after a clean install on a completeley clean system (CentOS 7) the cpan binary gets updated from some background process which is not 100% identified at the moment. The cpan version gets then 2.14 but not from a package install but from a rebuild of the binary(the rpm ist still 1.98)
    The behaviour is reproducible even on a complete rebuild of the box in another container, so malware is 99,99999% impossible.
    The only thing that is done between the clean install of cpanel and the rebuild of the binary is installation of csf, which is finished already at about 30 minutes BEFORE cpan is rebuilt.
    I will give some information here when the ticket is answered, it is deposed at some specialist team at the moment.

    Thanks,
    Thomas
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you post the ticket number here so we can update this thread with the outcome?

    Thank you.
     
Loading...

Share This Page