System Integrity checking detected a modified system file

[ljj3]

I know this message comes from LFD and is normal after an update. One of our VPS's, lightly loaded and up to date generates messages like the following every hour for days, stops, spurts out a few, then dozens and dozens. Yes, often 24 per day! UUCP is only running once a day.

The host repeatedly says its nothing to worry about and the system performs otherwise normally. Well except for altered packages warnings from time to time. I have other VPS's in the same datacenter with no issues like this. Any thoughts?

Examples (most are like the first):

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/usr/sbin/mysqld: FAILED
/sbin/mysqld: FAILED


The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/usr/bin/imunify360-agent: FAILED
/usr/bin/imunify-antivirus: FAILED
/usr/bin/imunify-service: FAILED
/bin/imunify360-agent: FAILED
/bin/imunify-antivirus: FAILED
/bin/imunify-service: FAILED
/sbin/mysqld-debug: FAILED

 

[cPanelWilliam]

Hi! Does the yum log show that those packages were recently updated or changed? You can run a command similar to the following to see whether the Imunify packages were updated recently:

grep imunify /var/log/yum.log

We have more information about these types of notifications here:

CSF Says that packages failed the md5sum check

 

[ljj3]

No. There are vastly more notifications than uucp updates. Sometimes one per hour for days at a time.

My suspicion has been hardware failure but the host, who has been quite good insists it's nothing - which makes no sense.

Security is very tight.

 

[ljj3]

As another example, all of our VPS' reported file changes last night consistent with uucp running. Including the system in question. But it also reported a different set of changes multiple times with no uucp. This has been going on for months, btw.

Just trying to get to the bottom of it, since I'm barely using this system since I don't trust it with an odd problem no one seems to understand.

 

[cPanelWilliam]

Hi,

As another example, all of our VPS' reported file changes last night consistent with uucp running. Including the system in question. But it also reported a different set of changes multiple times with no uucp. This has been going on for months, btw.

It would be difficult to say what is modifying those system files without access to the server to review the complete bash history, logs, and server configuration. It would be normal to receive these alerts during cPanel updates, but what you said indicates something outside of cPanel is modifying system files.

Typically these types of investigations should be handled by a security administrator. I'd suggest opening a ticket to see if our team can shed some light on the issue, although we may not be able to resolve it directly as it does not appear to be caused by cPanel.

 

[ljj3]

I'm sure its not a cPanel problem and I appreciate you taking a look. I also doubt this is security related, we are exceptionally cautious in that regard and it makes no sense that some entity would be repeatedly changing one group of files hundreds of times a month. It looks to me like corruption of some sort especially when combined with altered packages and other warnings. cPanel has looked at the server when it was also dropping services randomly and had no conclusive answers.

I am going to move the last couple of accounts off and deep six this VPS, as it has caused 1000 times more problems than all our others combined.

Just wish someone could advise if corruption, bad disk, bad memory or alien space lasers could lead to this problem!

 

[cPRex]

I always go straight for the alien space lasers, personally.