Lfd Integrity Check; should I be worried?

[Maikel]

Hello to all,

Today I received the message written below. There where no recent updates that I know off and everything else was up-to-date (Custombuild en yum update). Clam AV didn't find anything suspicious about these files and I'm quite confident that my server is secure. So now I'm wondering whether it's normal that these files have changed without me knowing about it, as I'm not that experienced in system administrating.

Google didn't yield any specific results, so do you guys think this could be part of an exploit or something?

Thanks,

Maikel

--
The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/usr/bin/filan: FAILED
/usr/bin/procan: FAILED
/usr/bin/socat: FAILED
/etc/init.d/functions: FAILED

 

[ditto]

It's absolutely normal, lfd is just telling you that the files has changed. You, or some other server admin, must have run yum update on the server, and those packages where then changed, and you get this warning.

For example there was just released a new update to initscripts https://rhn.redhat.com/errata/RHBA-2014-0190.html - and that would be the "/etc/init.d/functions: FAILED", after you did "yum update" on the server and upgraded that package.

Don't worry, be happy.

 

[Maikel]

Thank you for your reply.

I understand what this message means, and the file indeed shows a recent "changed time" (altough this property can be changed, so a secure hash is better to rely on). Point is however that I am the only admin and I haven't performed "yum update" in a few days, while the lfd interval is a few minutes I believe. I also haven't set a cron for update.

The link you provided explains a lot, but now I'm left with the question how this file could have been updated. Is there an update mechanism that I'm not aware of? Only other explanation would be that my VPS host did this, which seems unlikely to me.

 

[ditto]

I think it is possible to set CentOS/yum to automatically upgrade when there is new updates available in yum, however I have not done that myself and I am not sure how. Maybe if it was not you that installed CentOS the first time, maybe those people made the setting so that yum would upgrade automatically? Thats the only thing I can think of.

 

[Maikel]

Yes it is certainly possible to update automatically, but I didn't set anything and I installed a minimal bare Cent OS template, even without DA.

Haven't noticed an automatic update before and yum always finds a steady list of updates when I perform it manually.

SSH login is restricted to my ip and I get an e-mail when there is a SSH login, so if my host did it, it probably would have been directly to disk. I'll ask them.

 

[Arieh]

Maybe you can compare these files with the same ones on another box to see what the differences are.

 

[Maikel]

Yes good idea. Planned that already, but had to wait for files to compare with. It turns out the files are identical, so I'll await the answer from my host or dig deeper into the cron scripts to find out how these files got updated.

Thanks.

 

[zEitEr]

CSF/LFD updates itself by cron:

# cat /etc/cron.d/csf_update
SHELL=/bin/sh
9 3 * * * root /etc/csf/csf.pl -u

 

[Arieh]

The CSF auto update is also a setting (AUTO_UPDATES) which is turned on by default.

However I don't think CSF itself triggered this, I don't think they need socat or execute a yum update. Socat is used for creating sockets/daemons so it could be some kind of remote shell that could use this, but that's just a very wild guess.

 

[zEitEr]

CSF (/usr/sbin/csf) is a perl based application. This part is responded for updates:

# grep "start doupdate" /usr/sbin/csf --after=50
# start doupdate
sub doupdate {
        my $force = 0;
        my $actv = "";
        if ($input{command} eq "-uf") {
                $force = 1;
        } else {
                my ($status, $text) = &urlget("http://www.configserver.com/free/csf/version.txt");
                if ($status) {print "Oops: $text\n"; exit;}
                $actv = $text;
        }


        if ((($actv ne "") and ($actv =~ /^[\d\.]*$/)) or $force) {
                if (($actv > $version) or $force) {
                        $| = 1;


                        unless ($force) {print "Upgrading csf from v$version to $actv...\n"}
                        if (-e "/usr/src/csf.tgz") {unlink ("/usr/src/csf.tgz") or die $!}
                        print "Retrieving new csf package...\n";


                        my ($status, $text) = &urlget("http://www.configserver.com/free/csf.tgz","/usr/src/csf.tgz");
                        if ($status) {print "Oops: $text\n" ; exit;}


                        if (! -z "/usr/src/csf/csf.tgz") {
                                print "\nUnpacking new csf package...\n";
                                system ("cd /usr/src ; tar -xzf csf.tgz ; cd csf ; sh install.sh");
                                print "\nTidying up...\n";
                                system ("rm -Rfv /usr/src/csf*");
                                print "\nRestarting csf and lfd...\n";
                                system ("/usr/sbin/csf -r ; /etc/init.d/lfd restart");
                                print "\n...All done.\n\nChangelog: http://www.configserver.com/free/csf/changelog.txt\n";
                        }
                } else {
                        if (-t STDOUT) {print "csf is already at the latest version: v$version\n"}
                }
        } else {
                print "Unable to verify the latest version of csf at this time\n";
        }
}
# end doupdate

and uses Perl for retrieving files from remote urls.

sub urlget {
        my $url = shift;
        my $file = shift;
        my $quiet = shift;
        my $status;
        my $text;
        if ($config{URLGET} == 2) {
                eval ('use LWP::UserAgent;');
                ($status, $text) = &urlgetLWP($url,$file,$quiet);
        } else {
                eval ('use HTTP::Tiny;');
                ($status, $text) = &urlgetTINY($url,$file,$quiet);
        }
        return ($status, $text);
}
# end urlget

and so on.

 

[nobaloney]

I'm adding this to thread because I didn't see it mentioned anywhere:

If you're concerned about whether or not yum was run to update one or more files, check the log yum maintains in /var/log.

Jeff

 

[Maikel]

I'm adding this to thread because I didn't see it mentioned anywhere:

If you're concerned about whether or not yum was run to update one or more files, check the log yum maintains in /var/log.

Jeff

Did not think of that, yum indeed performed the updates. After digging a bit through my crons, it turns out I did set a cron for yum update. I have a file with some useful cron commands, including a line for yum and I must have copied this one by accident for some other task

Thank you all for your great input, my mystery is solved now!

 

[nobaloney]

Glad to hear it's all resolved.

I build a lot of servers, and to make sure there are no surprises I use a checklist for everything I do to every server as i build it. Makes it easier to figure out how a particular server is configured, if different.

Takes me longer to build a server, but I tend to have more consistency in my builds.

Jeff