Skip to main content

System Integrity checking detected a modified system file

Comments

8 comments

  • BlueSteam
    So looking at the WHM interface I was faced with this notice: but for some strange reason, there was nothing in my updates summary.log hmmm....server reboot commencing
    0
  • Ahmed Shibani
    Hi; Can you check what were the last packages updated on the server using `yum history` and then `yum history info ID`, replace ID with the top most result from the previous command
    0
  • Spirogg
    Hello, This morning I was greeted with the following lfd log output check from CSF. So immediately I thought, there must have been a cPanel update that executed during the night. So I proceed to check the /var/cpanel/updatelogs/summary.log file and see that the last update ran on 1 March 2022 which was 17 days ago. Then I thought, maybe it was my almalinux that has auto update enabled for I logged in to my almalinux web interface for the server and found that auto updates are off. However, Almalinux wants to restart a bunch of services as though something did update and of these services, a bunch of the are cPanel services. So why did cPanel do a bunch of changes that has not been logged??? alt="Screenshot_1.png">76333 So now I am left wondering what the heck is going on. The above lfd log looks like almost the entire servers file integrity has changed somehow. Can someone give me any ideas of why cPanel made changes and didn't log it in the updates summary ??

    This is most likely an update. there are nightly updates that happen like RPM updates and yum updates via cron from cPanel I just received for 2 server one was around 1;51 am the email and the other was at 4am for the other server. if your running Almalinux the log file is at /var/log/dnf.log and dnf.rpm.log other centOS should be at /var/log/yum.log here is a way to check each one that shows FAILED. example: to check /usr/bin/htpasswd and see what pkg it belongs too: run the command below you can do this for each one to make sure. find the file paths that failed in your email - log from LFD So one of them I have is /usr/bin/htpasswd I then run the code below [root@server1 ~]# rpm -qf /usr/bin/htpasswd ea-apache24-tools-2.4.53-1.1.1.cpanel.x86_64
    -- So now I know it's in ea-apache24-tools-2.4.53-1.1.1.cpanel.x86_64 So to check when it updated I use this below grep filename /path/to/log.log [root@server1 ~]# grep ea-apache24-tools-2.4.53-1.1.1.cpanel.x86_64 /var/log/dnf.rpm.log 2022-03-16T17:57:47-0500 SUBDEBUG Upgrade: ea-apache24-tools-2.4.53-1.1.1.cpanel.x86_64 2022-03-18T01:50:09-0500 SUBDEBUG Upgraded: ea-apache24-tools-2.4.53-1.1.1.cpanel.x86_64
    -- Another example: [root@server1 ~]# rpm -qf /usr/sbin/suphp ea-apache24-mod_suphp-0.7.2-30.34.9.cpanel.x86_64
    -- then check when it's been updated last: [root@server1 ~]# grep ea-apache24-mod_suphp-0.7.2-30.34.9.cpanel.x86_64 /var/log/dnf.rpm.log 2022-03-16T17:57:53-0500 SUBDEBUG Upgrade: ea-apache24-mod_suphp-0.7.2-30.34.9.cpanel.x86_64 2022-03-18T01:50:09-0500 SUBDEBUG Upgraded: ea-apache24-mod_suphp-0.7.2-30.34.9.cpanel.x86_64
    you can also use this pkg rpm checker from cPanel this will check if anything is wrong with any pkgs. I just found this a read a little on it.
    0
  • Spirogg
    Also I forgto to check md5 checksum you can run this command for each failed example [root@server1 ~]# md5sum /usr/bin/htpasswd e648faf395affeec7ce227d55604df3a /usr/bin/htpasswd
    another example [root@server1 ~]# md5sum /usr/sbin/suphp b0067b3b2f6f9542fe518f6c12329e2e /usr/sbin/suphp
    as I mentioned above maybe @cPRex can tell us where we can double check these to make sure there the same as cPanel's have great morning. Spiro
    0
  • cPRex Jurassic Moderator
    Currently the best way is to manually pull the file from our mirror and compare the MD5. We have some more thoughts on that here:
    0
  • consultant

    I get these periodically.  They are always because of updates.  Which begs the question, if they are going be false positives 99% of the time, doesn't it just create wasted time for the admin to manually check?  

    Maybe Cpanel isn't smart enough to detect it was caused by an update but couldn't it check logs and include a message in the email, "last system updates was xx/dd/yyy hh:mm" So if it was within the last 24 hours the admin can just disregard the notice?

     

    0
  • cPRex Jurassic Moderator

    consultant - remember, these emails don't come from cPanel, but from a third-party tool.

    0
  • consultant

    Thanks for reminding me it's LFD and not Cpanel.  This is pretty common for a lot of security tools.  Always looking for improvement in false detection though but technically not a Cpanel issue.

     

    0

Please sign in to leave a comment.