LFD keeps failing, now I see that /usr/sbin/csf and lfd have been modified

GoWilkes

• October 21, 2020 02:26

For the last couple of days I've been getting a TON of emails that lfd has failed. I had a cracker upload a backdoor script on 10/7/20 that I thought was fixed, but maybe I was wrong. I'm running WHM / cPanel v.86.0.29 because I'm still using MySQL 5.5, and no one responded on whether there is any risk to updating and I can't really risk losing everything. Anyway. I installed ClamAV but never received any reports, so I honestly don't know if it found or fixed anything. I also ran rkhunter, v. 1.4.2. It didn't find any rootkits, but I did have a few warnings *. I restarted CSF, and then in /var/log/lfd I see: Oct 20 19:39:07 [SERVER] lfd[25196]: *System Integrity* has detected modified file(s): /usr/sbin/csf /usr/sbin/lfd Oct 20 19:40:22 [SERVER] lfd[25389]: Directory Watching terminated after 16 seconds Oct 20 19:40:22 [SERVER] lfd[25389]: LF_DIRWATCH taking 16 seconds, temporarily throttled to run every 180 seconds
Then looking at /usr/sbin/csf and /usr/sbin/lfd, I see both were modified on 10/19/20, 5:33:06pm EST. Can anyone suggest whether the filesizes are wrong? /csf is 243,240, and /lfd is 390,948. * rkhunter warnings: Performing file properties checks /sbin/ifdown [ Warning ] /sbin/ifup [ Warning ] /usr/bin/GET [ Warning ] /usr/bin/ldd [ Warning ] /usr/bin/whatis [ Warning ] Performing group and account checks Checking for passwd file changes [ Warning ] Checking for group file changes [ Warning ] Performing system configuration file checks Checking if SSH root access is allowed [ Warning ] Performing filesystem checks Checking /dev for suspicious file types [ Warning ] Checking for hidden files and directories [ Warning ]
The log file said that each of those file properties had been replaced by a script, so I think they're irrelevant. The log also showed no warning for passwd and group, so I don't know what's up with that. And SSH root access is expected, as I do have it allowed. But the filesystem checks, I don't know. Should I be c oncerned? [03:16:20] Info: Starting test name 'passwd_changes' [03:16:21] Checking for passwd file changes [ None found ] [03:16:21] [03:16:21] Info: Starting test name 'group_changes' [03:16:21] Checking for group file changes [ None found ] [03:16:51] Checking /dev for suspicious file types [ Warning ] [03:16:52] Warning: Suspicious file types found in /dev: [03:16:52] /dev/.udev/queue.bin: data [03:16:52] /dev/.udev/db/block:loop0: ASCII text [03:16:52] /dev/.udev/db/block:xvda1: ASCII text [03:16:53] /dev/.udev/db/block:xvda2: ASCII text [03:16:53] /dev/.udev/db/block:xvda: ASCII text [03:16:53] /dev/.udev/db/input:event0: ASCII text [03:16:54] /dev/.udev/db/block:xvdb1: ASCII text [03:16:54] /dev/.udev/db/block:ram9: ASCII text [03:16:54] /dev/.udev/db/block:ram7: ASCII text [03:16:54] /dev/.udev/db/block:ram8: ASCII text [03:16:55] /dev/.udev/db/block:ram6: ASCII text [03:16:55] /dev/.udev/db/block:ram5: ASCII text [03:16:55] /dev/.udev/db/block:ram2: ASCII text [03:16:56] /dev/.udev/db/block:ram14: ASCII text [03:16:56] /dev/.udev/db/block:ram15: ASCII text [03:16:56] /dev/.udev/db/block:ram10: ASCII text [03:16:56] /dev/.udev/db/block:ram11: ASCII text [03:16:57] /dev/.udev/db/block:ram4: ASCII text [03:16:57] /dev/.udev/db/block:ram3: ASCII text [03:16:57] /dev/.udev/db/block:ram12: ASCII text [03:16:58] /dev/.udev/db/block:ram13: ASCII text [03:16:58] /dev/.udev/db/block:ram1: ASCII text [03:16:58] /dev/.udev/db/block:xvdb: ASCII text [03:16:59] /dev/.udev/db/block:loop6: ASCII text [03:16:59] /dev/.udev/db/block:loop7: ASCII text [03:16:59] /dev/.udev/db/block:loop4: ASCII text [03:17:00] /dev/.udev/db/block:ram0: ASCII text [03:17:00] /dev/.udev/db/block:loop3: ASCII text [03:17:00] /dev/.udev/db/block:loop5: ASCII text [03:17:00] /dev/.udev/db/block:loop2: ASCII text [03:17:01] /dev/.udev/db/block:loop1: ASCII text [03:17:01] /dev/.udev/rules.d/99-root.rules: ASCII text [03:17:03] Checking for hidden files and directories [ Warning ] [03:17:03] Warning: Hidden directory found: /dev/.mdadm [03:17:04] Warning: Hidden directory found: /dev/.udev [03:17:04] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression [03:17:04] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression [03:17:05] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression [03:17:05] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text [03:17:05] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text [03:17:05] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text

• 

  keat63

  • October 21, 2020 08:13

  on my server those file sizes are csf = 237.50k - 19.10.20 @ 22:02:03 lfd = 381.9k - 19.10.20 @ 22:02:03 I'm on CSF version 14.06

  0
• 

  andrew.n

  • October 21, 2020 13:06

  When CSF/LFD is updated you might get those false alerts however ConfigServer support would be able to confirm the sizes and md5 hashes to make sure it was not modified. If the server is hacked though the recommended and safest is to reinstall it and start from scratch.

  0
• 

  rscalover

  • October 22, 2020 19:12

  Hello, Have you enabled automatic csf update ? in that case it is normal the software is modified when csf is auto updated you'll also get an email from cron however if your server is comprimised it's time to take a decision and reinstall it or you could contact configserver the authors of csf .

  0
• 

  cPanelLauren

  • October 23, 2020 15:39

  I find it odd that it's flagging anything in /dev/. You might open a ticket where we'd be able to investigate for any compromise

  0

Please sign in to leave a comment.