Skip to main content

FAILED the md5sum comparison test - how to know when updates occur?

jeffschips
I am receiving pretty regular warnings from LFD/CSF that files fail integrity checks, sometimes after LFD has blocked ip's from foreign countries. How does an admin tell when an update occurs in Cpanel/WHM so we can know if this warning is indeed related to an update?

Comments

10 comments

Date Votes
  • 24x7server
    Hi, You can check the cPanel update logs for more details. /var/cpanel/updatelogs This directory contains the system's update log files.
    0
  • jeffschips
    Thank you. Given that I have have the following critical messages, how does one verify if the listed failed md5sum files have been updated or modified by an update? The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated Note that passwd has failed, a pretty critical file. If I search the most recent update log file for any of these listed files, none of them show up with grep: /usr/bin/cpapi1: FAILED /usr/bin/cpapi2: FAILED /usr/bin/cpapi3: FAILED /usr/bin/doveadm: FAILED /usr/bin/doveconf: FAILED /usr/bin/dsync: FAILED /usr/bin/uapi: FAILED /usr/sbin/dovecot: FAILED /usr/sbin/whmapi0: FAILED /usr/sbin/whmapi1: FAILED /bin/cpapi1: FAILED /bin/cpapi2: FAILED /bin/cpapi3: FAILED /bin/doveadm: FAILED /bin/doveconf: FAILED /bin/dsync: FAILED /bin/uapi: FAILED /sbin/dovecot: FAILED /sbin/whmapi0: FAILED /sbin/whmapi1: FAILED /usr/local/bin/crontab: FAILED /usr/local/bin/passwd: FAILED
    0
  • cPanelMichael
    Hello @jeffschips, You can manually download the files from our update servers and verify the md5sum. There's an example of how to do this on the following post: You may also find this document informative: Thank you.
    0
  • jeffschips
    1) So all of the above files listed as not passing tests have their dopplegangers at
    0
  • cPanelMichael
    ) So all of the above files listed as not passing tests have their dopplegangers at Index of /cpanelsync/11.72.0.5/binaries/linux-c7-x86_64 Note that some of the files are included as part of archives, so you'd need to download them to a test directory and extract them if you want to manually compare the md5 checksums.
    ) If //usr/local/cpanel/bin/jail_safe_passwd file (/bin/passwd is just a link to this file) is only a link could the link have changed to point somewhere else?

    It's possible. You can verify that with a command like this: ls -al /bin/passwd
    Here's how it should look: # ls -al /bin/passwd lrwxrwxrwx 1 root root 38 May 30 15:23 /bin/passwd -> /usr/local/cpanel/bin/jail_safe_passwd
    I can also confirm this file was modified upon the update to version 72.0.3 by searching at the cPanel update logs: /var/cpanel/updatelogs/update.1528826671.log:[2018-06-12 18:06:50 +0000] Retrieving and staging /cpanelsync/11.72.0.3/binaries/linux-c6-x86_64/bin/jail_safe_passwd.xz /var/cpanel/updatelogs/update.1528826671.log:[2018-06-12 18:06:50 +0000] Set permissions on /usr/local/cpanel/bin/jail_safe_passwd-cpanelsync to 0755
    Thank you.
    0
  • 8p-design
    I am wondering why there is not a script that can do this for us yet. I find it quite stressful to receive these warnings a few times per week. I ALWAYS wonder if it was the update that REALLY modify the file, or if it was made by ANOTHER process that took the "update window" opportunity to hack my system. Why can't the work done on the suggested reply by the cpanel staff above, be made by a script?
    0
  • Tsuna
    Bumping this, same issue and same concern here. [QUOTE]Why can't the work done on the suggested reply by the cpanel staff above, be made by a script?
    Or at least, why cant the system check this and ONLY send alert if it wasn't panel that made those changes during update. The point of a management panel is to reduce management work so we can focus on business growth(literally why current panel clients are here even after the price hike)
    0
  • jstubs99
    Yes I agree, same issue today now I find myself troubleshooting something I shouldnt have to. My alert today looks like the following: [QUOTE] The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated: /usr/bin/cpupower: FAILED /usr/sbin/rsyslogd: FAILED /bin/cpupower: FAILED /sbin/rsyslogd: FAILED
    Thanks
    0
  • paulapatrice
    Does anyone have an efficient solution to this? I got a fairly long list of FAILED files for a recently-set up server, and I cannot imagine trying to manually figure out what is legit and what is not file-by-file. Is this a cPanel issue or a CSF issue? I never got a warning on my old server in 4 years... Thinking something is configured differently on this new server that I either need to turn off or resolve. Any guidance is helpful.
    0
  • cPRex Jurassic Moderator
    This would be up to CSF as they send those notifications, so there isn't much we can do on our end. More details on that can be found here:
    -1

Please sign in to leave a comment.

Didn't find what you were looking for?

New post