CSF error

[Tom-]

This isn't really the forum for it, but I'm getting no reply on the CSF forums. Someone here might know what to do

I'm running Directadmin on a CentOS VPS with csf installed. Every now and then I'll receive an email where csf has detected a modified system file. Up until now, that only occured when one of my packages updated itself, which makes sense to me.
Today*, I received a mail while no update was run that I'm aware of, so that has me a bit concerned. Here's the files in todays email that failed the integrity check:

/usr/sbin/exim_dbmbuild: FAILED
/usr/sbin/exim_dumpdb: FAILED
/usr/sbin/exim_fixdb: FAILED
/usr/sbin/exim_lock: FAILED
/usr/sbin/exim_tidydb: FAILED

I have made a few changes to my server a few days ago, including activating sa-learn and updating exim itself, but I dont know if any of those changes could be related to this. I'm hoping they are, but if someone could point me in the right direction on how to make sure these listed files weren't tampered with, I'd be most grateful.

*(I copied my post from the CSF forum, its actually been 4 days by now)

 

[ViAdCk]

Yes, If you have updated exim that's the reason you get this alert. You can check the content of these files just in case, but I'm 99,9% sure it's related to the exim update.

 

[Richard G]

That is correct.
CSF is detecting a change so it will give notice that it fails the integrity check because it changed. This can also happen with other things like Apache and MySQL for example.
As long as you change it, for example by doing an exim (or other daemon or OS) update, you can safely ignore this notice.

 

[zEitEr]

Hello Tom,

Just a notice to add:

1. check time of modification with ls -la:

ls -la [COLOR=#333333]/usr/sbin/exim_*

is time the same as when you updated/reinstalled the binaries?

2. restart lfd

service lfd restart

every time when you update software with custombuild and rpm/apt-get, it will drop an alert on modified files at the moment of restart. But you won't be puzzled later on the matter.[/COLOR]