I have three servers with cxs installed. None are showing auto update emails for cxs or csf, and all three reported this, this morning:
Code: Select all
lfd on {srvername}: System Integrity checking detected a modified system file
From: root@{srvername}
To: root@{srvername}
Time: Sun Nov 8 04:00:11 2015 -0600
The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:
/usr/sbin/cxs: FAILED
All three show new dates on cxs.pl:
Code: Select all
# ll /usr/sbin/cxs
lrwxrwxrwx. 1 root root 15 Oct 3 10:24 /usr/sbin/cxs -> /etc/cxs/cxs.pl
# ll /etc/cxs/cxs.pl
-rwxr-xr-x. 1 root root 618078 Nov 8 04:09 /etc/cxs/cxs.pl
# ll /usr/sbin/cxs
lrwxrwxrwx 1 root root 15 Oct 2 06:05 /usr/sbin/cxs -> /etc/cxs/cxs.pl
# ll /etc/cxs/cxs.pl
-rwxr-xr-x 1 root root 618078 Nov 8 04:27 /etc/cxs/cxs.pl
# ll /usr/sbin/cxs
lrwxrwxrwx. 1 root root 15 Oct 9 11:08 /usr/sbin/cxs -> /etc/cxs/cxs.pl
# ll /etc/cxs/cxs.pl
-rwxr-xr-x. 1 root root 618078 Nov 8 03:59 /etc/cxs/cxs.plhttp://download.configserver.com/cxs/changelog.txt
Says the latest version is 6.00, but gives no date when that was released.
# # #
Was there an update to cxs, or have all three servers been hacked? If I've been hacked what's my next step?
Thanks,
Michael