Symptoms
When CSF/LFD is installed on a server, it will send an email saying something similar to the following.
The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:
Please note that cPanel doesn't develop or provide support for CSF/LFD. ConfigServer, the vendor for CSF/LFD, is responsible for errors and user-experience issues with their software.
Description
CSF/LFD sends the emails when it checks the md5sum of the installed packages and finds that they have been changed from what it thinks they should be. This message will most often coincide with software updates that run on the server automatically. This generally means that the server changed or updated the packages, and the email may be ignored.
Workaround
CSF watches checksums for many files on the system that are both controlled directly by RPM packages and those that aren't. For files that are controlled by packages, you can verify if the package recently received an update by checking the package manager logs:
- Access the server's command line as the 'root' user via SSH or "Terminal" in WHM.
- Check the package manager log for the modified package.
- RHEL 7-based servers
grep $packagename /var/log/yum.log
- RHEL 8/9-based servers
grep $packagename /var/log/dnf.log
- Ubuntu
grep $packagename /var/log/apt/history.log
- RHEL 7-based servers
- If the package is not found in the log, you may need to reach out to your security department to see how the files were modified.
Comments
0 comments
Article is closed for comments.