Applicable to:
- Plesk for Linux
Question
What Watchdog warnings can be safely ignored?
Answer
The following list of warnings can be safely ignored:
-
"The file has changed": This warning appears in the log, when Watchdog configuration has been changed via Plesk:
CONFIG_TEXT: [16:34:46] Warning:  Package manager verification has failed:
[16:34:46] File: /usr/local/psa/etc/modules/watchdog/rkhunter.conf
[16:34:46] The file hash value has changed
[16:34:46] The file size has changed
[16:34:46] The file modification time has changed -
"Suspicious shared memory segments": Shared memory segments below are owned by Apache, Plesk and Postgres:
CONFIG_TEXT: [16:35:32] Warning: The following suspicious shared memory segments have been found:
[16:35:32] Process: /usr/sbin/httpd PID: 9522 Owner: root
[16:35:32] Process: PID: 25000 Owner: psaadm
[16:35:32] Process: /usr/bin/postgres PID: 9759 Owner: postgres -
"Suspicious shared memory segments": Shared memory segments below are owned by Apache and MagicSpam:
CONFIG_TEXT: [01:01:55] Checking for suspicious shared memory segments [ Warning ] [01:01:55] Warning: The following suspicious shared memory segments have been found: [01:01:55] Process: PID: 4023 Owner: magicspam [01:01:55] Process: /usr/sbin/apache2 PID: 10275 Owner: root
-
"Found enabled xinetd service: The "xinetd" service is a part of the Plesk functionality.
CONFIG_TEXT: [16:35:33] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[16:35:33] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa -
"Hidden file/directories found":
- The /usr/share/man/ directory is used for package manuals.
- The /dev/.udev directory is created by the "udevd" daemon and is used for system boot process.
- *.hmac files are used for messages authentication.
CONFIG_TEXT: [16:35:38] Warning: Hidden directory found: /dev/.udev
[16:35:38] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[16:35:39] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[16:35:39] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[16:35:39] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[16:35:39] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[16:35:39] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
Additional information
For more information about Watchdog (System Monitoring) Component, see this Plesk documentation page.
For the purpose of scanning the server for malware, Watchdog uses the Rootkit Hunter utility. For more information about Rootkit Hunter, visit the Rootkit Hunter developer's Web site.
Comments
6 comments
Forgot to mention that MagicSpam too will throw the following warning message. You should whitelist your processes by default.
@Marco Marsala
Thank you for noticing, Marco! I have updated the article.
Why doesn't plesk then whitelist this warnings by default?
@Christian Heutger
Hello!
These warnings are not whitelisted by default as they may be useful for troubleshooting.
Feel free to create functionality suggestions at Plesk User Voice.
I got this warning
[01:15:10] /opt/psa/etc/modules/watchdog/rkhunter.conf [ Warning ]
[01:15:10] Warning: Package manager verification has failed:
[01:15:10] File: /opt/psa/etc/modules/watchdog/rkhunter.conf
[01:15:10] The file hash value has changed
@Aniello, this warning appears in the log, when Watchdog configuration has been changed via Plesk. It may be safely ignored.
Please sign in to leave a comment.