Some files failed MD5

Guys. Could anyone offer advice on the message recieved this morning ? The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:


/usr/bin/prove: FAILED
/usr/bin/ptar: FAILED
/usr/bin/ptardiff: FAILED
/usr/bin/shasum: FAILED

[COLOR="silver">- - - Updated - - - and this ?


Dec  3 07:00:36 leeds lfd[1053]: *System Integrity* has detected modified file(s): /bin/crontab /bin/passwd /etc/init.d/fastmail

[COLOR="silver">- - - Updated - - - and this.

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/bin/crontab: FAILED
/bin/passwd: FAILED
/etc/init.d/fastmail: FAILED

[COLOR="silver">- - - Updated - - - Maybe the server has done an update ??

/var/log/secure:
Dec  3 06:58:57 leeds atd[990]: pam_unix(atd:session): session opened for user root by (uid=0) Dec  3 06:58:57 leeds atd[990]: pam_unix(atd:session): session closed for user root

/usr/local/cpanel/logs/error_log:
This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
	 "/usr/local/cpanel/base/frontend/x3/branding/the_beach/heading_sprites_bg_snap_to_smallest_width.png".
This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
	 "/usr/local/cpanel/base/frontend/x3/branding/motor_city/ui_sprites_bg_snap_to_smallest_width.png".
This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
	 "/usr/local/cpanel/base/frontend/x3/branding/crimson_smoke/heading_sprites_bg_snap_to_smallest_width.png".
This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
	 "/usr/local/cpanel/base/frontend/x3mail/branding/the_beach/heading_sprites_bg_snap_to_smallest_width.png".
This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
	 "/usr/local/cpanel/base/frontend/x3mail/branding/motor_city/ui_sprites_bg_snap_to_smallest_width.png".
This is exceeding 8192 pixels and color palette issue may be expected when its associated sprite file is used:
	 "/usr/local/cpanel/base/frontend/x3mail/branding/crimson_smoke/heading_sprites_bg_snap_to_smallest_width.png".
[12/03/2014:06:39:10 -0000] info [cpsrvd] reloading config based on -HUP signal
[2014-12-03 06:39:21 +0000] warn [taskrun] Failed to open "/usr/local/cpanel/logs/easyapache"" for chown(): No such file or directory at /usr/local/cpanel/Cpanel/SafetyBits/Chown.pm line 49
	Cpanel::SafetyBits::Chown::safe_chown(__CPANEL_HIDDEN__, -1, __CPANEL_HIDDEN__) called at /usr/local/cpanel/install/SecurityCheck.pm line 94
	Install::SecurityCheck::_secure_files() called at /usr/local/cpanel/install/SecurityCheck.pm line 208
	Install::SecurityCheck::perform(Install::SecurityCheck=HASH(0x33062f8)) called at /usr/local/cpanel/bin/taskrun line 318
	eval {...} called at /usr/local/cpanel/bin/taskrun line 318
	Bin::TaskRun::perform(Install::SecurityCheck=HASH(0x33062f8)) called at /usr/local/cpanel/bin/taskrun line 335
	Bin::TaskRun::perform_task(Install::SecurityCheck=HASH(0x33062f8), HASH(0x23384f8), undef) called at /usr/local/cpanel/bin/taskrun line 378
	Bin::TaskRun::verify_and_perform_task(Install::SecurityCheck=HASH(0x33062f8), Cpanel::CPAN::Algorithm::Dependency::Ordered=HASH(0x4f23a70), HASH(0x23384f8), undef) called at /usr/local/cpanel/bin/taskrun line 552
	Bin::TaskRun::_main('Bin::TaskRun', undef, 'no_deps', undef, 'pbar-stop', 90, 'pbar-start', 80, 'debug', undef, 'dry', undef, 'log_file', '/var/cpanel/updatelogs/update.1417583521.log', 'force', undef, 'targets', undef, 'script', 1) called at /usr/local/cpanel/bin/taskrun line 167
	Bin::TaskRun::run('argv', ARRAY(0x1f1a398)) called at /usr/local/cpanel/bin/taskrun line 145
[2014-12-03 06:39:38 +0000] warn [apache_conf_distiller] Unable to determine domain xxx.xxx.xxx.xx ownership. Attempting lookup on domain 171.221.31 (manually added domain). at /usr/local/cpanel/bin/apache_conf_distiller line 1317
	ApacheConfDistiller::run('--update', '--verbose') called at /usr/local/cpanel/bin/apache_conf_distiller line 1936
[2014-12-03 06:39:38 +0000] warn [apache_conf_distiller] Unable to determine domain xxx.xxx.xxx.xx ownership. Setting user to 'nobody'. at /usr/local/cpanel/bin/apache_conf_distiller line 1322
	ApacheConfDistiller::run('--update', '--verbose') called at /usr/local/cpanel/bin/apache_conf_distiller line 1936
[2014-12-03 06:39:40 +0000] die [realadduser] User cpanel already exists
[2014-12-03 06:39:40 +0000] die [realadduser] User ftp already exists patching file config.sample.inc.php patching file libraries/common.inc.php patching file libraries/session.inc.php patching file index.php Hunk #1 succeeded at 469 (offset 2 lines).
Hunk #2 succeeded at 500 with fuzz 2 (offset 5 lines).
patching file libraries/server_privileges.lib.php
patching file server_privileges.php
patching file libraries/plugins/auth/AuthenticationHttp.class.php
patching file db_operations.php
Hunk #2 succeeded at 256 (offset 1 line).
patching file libraries/operations.lib.php patching file config.sample.inc.php patching file libraries/navigation/NavigationHeader.class.php
patching file libraries/plugins/auth/AuthenticationCpanel.class.php
patching file libraries/operations.lib.php patching file libraries/plugins/auth/AuthenticationCookie.class.php
patching file libraries/plugins/auth/AuthenticationCpanel.class.php
patching file libraries/DisplayResults.class.php
patching file config.sample.inc.php
patching file libraries/server_privileges.lib.php
patching file import.php
patching file libraries/Menu.class.php

cPanelMichael

December 03, 2014 13:22

Hello :) You can review the log files in the /var/cpanel/updatelogs directory to see if any packages were updating during the last cPanel update. Thank you.

cPanelPeter cPanel Staff

December 03, 2014 14:31

Hello, You may also want to check the /var/log/yum.log file for updates to those packages.

keat63

December 04, 2014 04:53

I'm away from the office for a few days. However I got another one this morning. ****Log opened from cPanel Update (upcp) - Slave (27193) at Thu Dec**** 4****05:12:01****2014 [20141204.051201]******** Detected cron=1 (cron mode set from command line) [20141204.051201]******** 1% complete [20141204.051201]******** Running Standardized hooks [20141204.051201]******** 2% complete [20141204.051201]******** mtime on upcp is****1416318445(Tue Nov 18****13:47:25****2014) followed by a list longer than both mine and your arms. Paranoid

paraday

December 04, 2014 06:18

I get similar messages quite often, and even looking at the (huge) update logs does not convince me the changes are legitimate. So if I look into last night's log, which triggered the warning for me, I can only see these related to e.g. crontab: Retrieving and staging /cpanelsync/11.46.0.19/binaries/linux-c6-i386/bin/jail_safe_crontab.bz2 Set permissions on /usr/local/cpanel/bin/jail_safe_crontab-cpanelsync to 0755 Does this indicate that crontab was updated? I have hundreds of lines like these in the log, concerning other programs, but I didn't get a checksum fail for those. That's why I'm relactant to think that this is ok.

December 04, 2014 16:46

You should also review /var/log/yum.log as cPanelPeter mentioned to see if your system packages were updated. Retrieving and staging /cpanelsync/11.46.0.19/binaries/linux-c6-i386/bin/jail_safe_crontab.bz2 Set permissions on /usr/local/cpanel/bin/jail_safe_crontab-cpanelsync to 0755 Does this indicate that crontab was updated?
It indicates the /usr/local/cpanel/bin/jail_safe_crontab file was retrieved from our update servers. Thank you.

December 05, 2014 10:04

]You should also review /var/log/yum.log as cPanelPeter mentioned to see if your system packages were updated. It indicates the /usr/local/cpanel/bin/jail_safe_crontab file was retrieved from our update servers. Thank you.

Thanks. I forgot to mention that I always look at yum.log but I usually only find some of the updated items there. So, today I got a new mail about these:

/usr/bin/certutil: FAILED
/usr/bin/cmsutil: FAILED
/usr/bin/crlutil: FAILED
/usr/bin/modutil: FAILED
/usr/bin/pk12util: FAILED
/usr/bin/signtool: FAILED
/usr/bin/signver: FAILED
/usr/bin/ssltap: FAILED
/bin/passwd: FAILED

And I can only find references to passwd in cpanel's update log. And these in yum.log:

Dec 04 23:14:24 Updated: nss-util-3.16.2.3-2.el6_6.i686
Dec 04 23:14:25 Updated: nss-sysinit-3.16.2.3-3.el6_6.i686
Dec 04 23:14:26 Updated: nss-3.16.2.3-3.el6_6.i686
Dec 04 23:14:27 Updated: nss-tools-3.16.2.3-3.el6_6.i686

Is there another way I should be searching with?

December 05, 2014 16:46

You may want to consult with a qualified system administrator or security specialist if you are concerned about the security of your server. While it's likely a false positive, there's no way to determine if you have been hacked or not based on the output that you have provided. Thank you.

December 05, 2014 19:09

]You may want to consult with a qualified system administrator or security specialist if you are concerned about the security of your server. While it's likely a false positive, there's no way to determine if you have been hacked or not based on the output that you have provided. Thank you.

Will do thanks

Some files failed MD5

Comments

Didn't find what you were looking for?