For the last couple of days I've been getting a TON of emails that lfd has failed. I had a cracker upload a backdoor script on 10/7/20 that I thought was fixed, but maybe I was wrong. I'm running WHM / cPanel v.86.0.29 because I'm still using MySQL 5.5, and no one responded on whether there is any risk to updating and I can't really risk losing everything.
Anyway.
I installed ClamAV but never received any reports, so I honestly don't know if it found or fixed anything.
I also ran rkhunter, v. 1.4.2. It didn't find any rootkits, but I did have a few warnings *.
I restarted CSF, and then in /var/log/lfd I see:
Then looking at /usr/sbin/csf and /usr/sbin/lfd, I see both were modified on 10/19/20, 5:33:06pm EST.
Can anyone suggest whether the filesizes are wrong? /csf is 243,240, and /lfd is 390,948.
* rkhunter warnings:
The log file said that each of those file properties had been replaced by a script, so I think they're irrelevant. The log also showed no warning for passwd and group, so I don't know what's up with that. And SSH root access is expected, as I do have it allowed.
But the filesystem checks, I don't know. Should I be c oncerned?
Anyway.
I installed ClamAV but never received any reports, so I honestly don't know if it found or fixed anything.
I also ran rkhunter, v. 1.4.2. It didn't find any rootkits, but I did have a few warnings *.
I restarted CSF, and then in /var/log/lfd I see:
Code:
Oct 20 19:39:07 [SERVER] lfd[25196]: *System Integrity* has detected modified file(s): /usr/sbin/csf /usr/sbin/lfd
Oct 20 19:40:22 [SERVER] lfd[25389]: Directory Watching terminated after 16 seconds
Oct 20 19:40:22 [SERVER] lfd[25389]: LF_DIRWATCH taking 16 seconds, temporarily throttled to run every 180 secondsCan anyone suggest whether the filesizes are wrong? /csf is 243,240, and /lfd is 390,948.
* rkhunter warnings:
Code:
Performing file properties checks
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
/usr/bin/GET [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/whatis [ Warning ]
Performing group and account checks
Checking for passwd file changes [ Warning ]
Checking for group file changes [ Warning ]
Performing system configuration file checks
Checking if SSH root access is allowed [ Warning ]
Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]But the filesystem checks, I don't know. Should I be c oncerned?
Code:
[03:16:20] Info: Starting test name 'passwd_changes'
[03:16:21] Checking for passwd file changes [ None found ]
[03:16:21]
[03:16:21] Info: Starting test name 'group_changes'
[03:16:21] Checking for group file changes [ None found ]
[03:16:51] Checking /dev for suspicious file types [ Warning ]
[03:16:52] Warning: Suspicious file types found in /dev:
[03:16:52] /dev/.udev/queue.bin: data
[03:16:52] /dev/.udev/db/block:loop0: ASCII text
[03:16:52] /dev/.udev/db/block:xvda1: ASCII text
[03:16:53] /dev/.udev/db/block:xvda2: ASCII text
[03:16:53] /dev/.udev/db/block:xvda: ASCII text
[03:16:53] /dev/.udev/db/input:event0: ASCII text
[03:16:54] /dev/.udev/db/block:xvdb1: ASCII text
[03:16:54] /dev/.udev/db/block:ram9: ASCII text
[03:16:54] /dev/.udev/db/block:ram7: ASCII text
[03:16:54] /dev/.udev/db/block:ram8: ASCII text
[03:16:55] /dev/.udev/db/block:ram6: ASCII text
[03:16:55] /dev/.udev/db/block:ram5: ASCII text
[03:16:55] /dev/.udev/db/block:ram2: ASCII text
[03:16:56] /dev/.udev/db/block:ram14: ASCII text
[03:16:56] /dev/.udev/db/block:ram15: ASCII text
[03:16:56] /dev/.udev/db/block:ram10: ASCII text
[03:16:56] /dev/.udev/db/block:ram11: ASCII text
[03:16:57] /dev/.udev/db/block:ram4: ASCII text
[03:16:57] /dev/.udev/db/block:ram3: ASCII text
[03:16:57] /dev/.udev/db/block:ram12: ASCII text
[03:16:58] /dev/.udev/db/block:ram13: ASCII text
[03:16:58] /dev/.udev/db/block:ram1: ASCII text
[03:16:58] /dev/.udev/db/block:xvdb: ASCII text
[03:16:59] /dev/.udev/db/block:loop6: ASCII text
[03:16:59] /dev/.udev/db/block:loop7: ASCII text
[03:16:59] /dev/.udev/db/block:loop4: ASCII text
[03:17:00] /dev/.udev/db/block:ram0: ASCII text
[03:17:00] /dev/.udev/db/block:loop3: ASCII text
[03:17:00] /dev/.udev/db/block:loop5: ASCII text
[03:17:00] /dev/.udev/db/block:loop2: ASCII text
[03:17:01] /dev/.udev/db/block:loop1: ASCII text
[03:17:01] /dev/.udev/rules.d/99-root.rules: ASCII text
[03:17:03] Checking for hidden files and directories [ Warning ]
[03:17:03] Warning: Hidden directory found: /dev/.mdadm
[03:17:04] Warning: Hidden directory found: /dev/.udev
[03:17:04] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[03:17:04] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[03:17:05] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[03:17:05] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[03:17:05] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[03:17:05] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
