Questions about cPanel Updates and CSF integrity checks.
Hello,
I have a quick question. Last night cPanel got updated and I got the following message from ConfigServer Firewall's LFD program:
I get a message similar to this every time cPanel updates. My guess is cPanel is updating these files. If my suspicions are correct, is there away to see what files cPanel updates so I can make sure some hacker hasn't replaced those files with malicious ones? Thanks!
The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:
/usr/bin/innochecksum: FAILED
/usr/bin/myisamchk: FAILED
/usr/bin/myisam_ftdump: FAILED
/usr/bin/myisamlog: FAILED
/usr/bin/myisampack: FAILED
/usr/bin/my_print_defaults: FAILED
/usr/bin/mysql: FAILED
/usr/bin/mysqladmin: FAILED
/usr/bin/mysqlbinlog: FAILED
/usr/bin/mysqlbug: FAILED
/usr/bin/mysqlcheck: FAILED
/usr/bin/mysql_client_test: FAILED
/usr/bin/mysql_config: FAILED
/usr/bin/mysqldump: FAILED
/usr/bin/mysqlimport: FAILED
/usr/bin/mysql_plugin: FAILED
/usr/bin/mysqlshow: FAILED
/usr/bin/mysqlslap: FAILED
/usr/bin/mysqltest: FAILED
/usr/bin/mysql_tzinfo_to_sql: FAILED
/usr/bin/mysql_upgrade: FAILED
/usr/bin/mysql_waitpid: FAILED
/usr/bin/perror: FAILED
/usr/bin/replace: FAILED
/usr/bin/resolveip: FAILED
/usr/bin/resolve_stack_dump: FAILED
/usr/sbin/mysqld: FAILED
/usr/sbin/mysqld-debug: FAILED
/bin/passwd: FAILED
I get a message similar to this every time cPanel updates. My guess is cPanel is updating these files. If my suspicions are correct, is there away to see what files cPanel updates so I can make sure some hacker hasn't replaced those files with malicious ones? Thanks!
-
Hello :) You can review /var/log/yum.log to see which system packages were recently updated. You may also find this document helpful: cPanel & WHM Download Security - cPanel Knowledge Base - cPanel Documentation Thank you. 0 -
Hello :) You can review /var/log/yum.log to see which system packages were recently updated. You may also find this document helpful:
I get nothing. When I type:cat /var/log/yum.log
I can see only 6 packages were either installed or updated last night.Feb 10 00:59:34 Updated: chkconfig-1.3.49.3-5.el6_7.2.x86_64 Feb 10 00:59:34 Updated: ntsysv-1.3.49.3-5.el6_7.2.x86_64 Feb 10 00:59:35 Updated: tzdata-2016a-2.el6.noarch Feb 10 12:27:33 Updated: kernel-headers-2.6.32-573.18.1.el6.x86_64 Feb 10 12:27:41 Installed: kernel-devel-2.6.32-573.18.1.el6.x86_64 Feb 10 12:27:43 Updated: initscripts-9.03.49-1.el6.centos.4.x86_64
None of them seem to have anything to do with MySQL55-server-5.5.48-1.cp1148.x86_64. Does this mean someone might of gotten into my server? Also,rpm -qf /bin/passwd
shows /bin/passwd doesn't belong to any packages...yet /bin/passwd was changed last night. It has me worried. Thanks!0 -
/bin/passwd is a symbolic link to /usr/local/cpanel/bin/jail_safe_passwd. However, rpm -qf /usr/local/cpanel/bin/jail_safe_passwd and yum provides /usr/local/cpanel/bin/jail_safe_passwd show that the file doesn't belong to any packages. 0 -
You also have to account for any RPM changes that stem from cPanel updates (e.g. MySQL updates). You can review the cPanel update logs in the following directory: /var/cpanel/updatelogs Thank you. 0 -
I see things like this quite frequently, even though I have most updates set for manual, some automatic updates still occur. If you scroll through the CSF email logs, you should see an entry for YUM. If I see any files failing, I usually quickly scroll through the log to find the YUM occurance. It's always at the same time of day, so if i see YUM has been working i don't worry. 0 -
Thank you guys! 0
Please sign in to leave a comment.
Comments
6 comments