Skip to main content

Resolving Issues Found With Rootkit Hunter

denverdataman
Hi, I am trying to figure out what the best next step is for a server that I think is clean but I need to validate this assumption and there are some outstanding questions from Rootkit Hunter. There were many warnings for files so I checked the MD5 value against another cPaenl install with the same version of CentOS. Everything checked out except for a few files. For example /bin/passwd and /usr/local/cpanel/bin/jail_safe_passwd. I used YUM to validate the file as well and it looks good. What is a reasonable next step? It is important to note that one site on the server was compromised via a files directory. There was compressed PHP code added that messed up search engine listings but I do not think they would have been able to alter the OS. No rootkits were found. Thanks, Steve

Comments

3 comments

Date Votes
  • cPanelMichael
    There were many warnings for files so I checked the MD5 value against another cPaenl install with the same version of CentOS. Everything checked out except for a few files. For example /bin/passwd and /usr/local/cpanel/bin/jail_safe_passwd.

    Hello, Can you verify if the same version of cPanel is installed on each system? What are the specific checksums values and OS/cPanel versions you are concerned about? Thank you.
    0
  • denverdataman
    Thank you for writing back. I did verify that the versions of cPanel and the OS are the same. The OS is centos-release-6-9.el6.12.3.x86_64 and cPanel is version 66.0 (build 34). Here is what I am seeing: root@mpa.example.com [bin]# yum provides /bin/passwd Loaded plugins: fastestmirror, security, universal-hooks Loading mirror speeds from cached hostfile * EA4: 70.87.220.252 * cpanel-addons-production-feed: 70.87.220.252 * extras: mirror.tzulo.com No Matches found root@mpa.example.com [bin]# md5sum passwd 4d05aefc3966f4f413d1da3874d2df43 passwd
    and root@mpa.example.com [bin]# md5sum /usr/local/cpanel/bin/jail_safe_passwd 4d05aefc3966f4f413d1da3874d2df43 /usr/local/cpanel/bin/jail_safe_passwd root@mpa.example.com [bin]# yum provides /usr/local/cpanel/bin/jail_safe_passwd Loaded plugins: fastestmirror, security, universal-hooks Loading mirror speeds from cached hostfile * EA4: 70.87.220.252 * cpanel-addons-production-feed: 70.87.220.252 * extras: mirror.tzulo.com No Matches found root@mpa.example.com [bin]#
    I was wrong about Yum. Please advise. Thanks, Steve
    0
  • cPanelMichael
    Hello Steve, I was able to confirm the md5sum for your /usr/local/cpanel/bin/jail_safe_passwd file (/bin/passwd is just a link to this file) matches the md5sum when downloading the file directly from our mirrors at: cPanel & WHM Version 66 Now EOL | cPanel Newsroom Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post