Skip to main content

email CSF: "...If the change is unexpected it should be investigated", how investigate?

000
Hello, we recived the messages: Time: Thu Apr 1 06:00:14 2021 -0500 The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated: /usr/bin/ab: FAILED /usr/bin/ea-php73: FAILED /usr/bin/ea-php74: FAILED /usr/bin/ea-php80: FAILED /usr/bin/htdbm: FAILED /usr/bin/htdigest: FAILED /usr/bin/htpasswd: FAILED /usr/bin/httxt2dbm: FAILED /usr/bin/logresolve: FAILED /usr/sbin/fcgistarter: FAILED /usr/sbin/htcacheclean: FAILED /usr/sbin/httpd: FAILED /usr/sbin/rotatelogs: FAILED /usr/sbin/suexec: FAILED /bin/ab: FAILED /bin/ea-php73: FAILED /bin/ea-php74: FAILED /bin/ea-php80: FAILED /bin/htdbm: FAILED /bin/htdigest: FAILED /bin/htpasswd: FAILED /bin/httxt2dbm: FAILED /bin/logresolve: FAILED /sbin/fcgistarter: FAILED /sbin/htcacheclean: FAILED /sbin/httpd: FAILED /sbin/rotatelogs: FAILED /sbin/suexec: FAILED /usr/local/bin/ea-php73: FAILED /usr/local/bin/ea-php74: FAILED /usr/local/bin/ea-php80: FAILED
... really around of world after of millions of servers/VPS update/upgrade SO with cPanel millions and millions of emails is sended to email of sysadmin? Yes, we can disable this email in /etc/csf/csf.conf, but the real point is: how we as newby inexperts investigate? the most danger/terrible essenary is: "this update is doit by a malware", and... how we can detect wich command make the update? (infection), how the malware was do uploaded to server? Please some tricks as: how we can know if really is a update ? Some command to check/evaluate MD5 with mirror of SO ? . . . Really I believe is necessary a page complet with some instructions about how we as newbies can investigate this, and then can give some diagnostic preliminar to contract a sysadmin professional. (sorry by my bad English)

Comments

6 comments

Date Votes
  • kodeslogic
    Most such emails are received after the cPanel updates (upcp process), to verify that such email received after cPanel update check path /var/cpanel/updatelogs/
    and you should see /var/cpanel/updatelogs/updated.{TIMESTAMP}.log
    file with timestamp which you can match with the received email. You may also receive such emails when you manually update some outdated/old packages on your server if it is not by the upcp process.
    0
  • cPRex Jurassic Moderator
    Yes, you'll get these notifications from CSF after a cPanel update, but it doesn't necessarily indicate an issue with the machine.
    0
  • 000
    ...you should see /var/cpanel/updatelogs/updated.{TIMESTAMP}.log
    file with timestamp which you can match with the received email.

    Thanks master @kodeslogic.
    Yes, you'll get these notifications from CSF after a cPanel update, but it doesn't necessarily indicate an issue with the machine.

    Many thanks by your time master @cPRex. in any case, if some day update is doit by MALWARE, how I can detect this terrible situation ?, only /var/cpanel/updatelogs/updated.{TIMESTAMP}.log
    ? cPanel don't release some BASH or something tool to check integrity of system?
    0
  • ffeingol
    While the above suggestions are good, I'd suggest checking /var/log/yum.log Virtaully all these changes are going to be done via yum (via the nightly upcp). Yesterday there was a EA update ( ) which is gong to cover a lot of what LFD saw change.
    0
  • cPRex Jurassic Moderator
    @000 - first you'd want to look over the logs that have been previously mentioned to see if there were updates that happened on the system. If so, that's why there was a change. If not, you could compare the md5sum from a backup or by downloading a copy of the file directly and comparing it from here: Index of /cpanelsync/11.94.0.4
    0
  • 000
    thanks masters :)
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post