Passwd Infected Chkrootkit

aloshi2019

• February 11, 2019 08:19

Hi, chkrootkit-0.52 Completed update 11.76.0.17 -> 11.76.0.18 OS CloudLinux 7.6 (Vladimir Lyakhov) [QUOTE]Checking `passwd'... INFECTED
How can I confirm if this is false positive? I know it is already explained here but what URL do I need to use to download the jail_safe_passwd.bz2 file from cPanel? Please advise. Thank you

• 

  aloshi2019

  • February 12, 2019 05:14

  I ran the following commands md5sum /bin/passwd mkdir /root/testing cd /root/testing wget

  0
• 

  cPanelMichael

  • February 14, 2019 16:59

  - The md5sum does not match with (md5sum /bin/passwd & md5sum /root/testing/jail_safe_passwd )

  
  Hello @aloshi2019, Can you run the following commands and let us know the output? sha256sum /bin/passwd sha256sum /usr/bin/passwd
  I can compare the output for this file on a test system and verify if the results match. Thank you.

  0
• 

  sparek-3

  • February 14, 2019 17:11

  If I'm not mistaken, cPanel has to modify the passwd binary due to the way jailshell works and in conjunction with how password changes are made by users. I would not be too terribly alarmed by this, especially since a cPanel update was just recently published - did you recently update cPanel? Still... it's never a bad idea to scrutinize these changes and verify that everything is in order. But I would not be terribly alarmed by this - especially if you just recently updated cPanel or had it automatically updated. (This is also a good reason why it's a good idea to stay on top of when cPanel is pushing out updates)

  0
• 

  aloshi2019

  • February 15, 2019 02:23

  Hello @aloshi2019, Can you run the following commands and let us know the output? sha256sum /bin/passwd sha256sum /usr/bin/passwd
  I can compare the output for this file on a test system and verify if the results match. Thank you.

  
  Hello

  0
• 

  cPanelMichael

  • February 15, 2019 14:56

  Hello @aloshi2019, I can confirm those hashes match the hashes on my test system running CentOS 7.6: # sha256sum /bin/passwd a92b1b6fb52549ed23b12b32356c6a424d77bcf21bfcfbd32d48e12615785270 /bin/passwd # sha256sum /usr/bin/passwd a92b1b6fb52549ed23b12b32356c6a424d77bcf21bfcfbd32d48e12615785270 /usr/bin/passwd
  Thus, this looks to be a false positive. Thank you.

  0
• 

  LoraineB

  • June 02, 2019 10:54

  Hi, following a chkrootkit scan of my servers, it flagged the /bin/passwd file as infected. I've followed the instructions from other threads on the same subject and get these results. 792964343f6f916d8025bf9b1eb1e839 /bin/passwd 5141bbb73ac4cc6b7e82c4034947b3d1 jail_safe_passwd 5141bbb73ac4cc6b7e82c4034947b3d1 /usr/local/cpanel/bin/jail_safe_passwd Server is centos 7, x86 64, cpanel build is 11.78.0.24 Chkrootkit says the /bin/passwd is infected, the md5sum doesn't match the jail_safe_passwd but as I understand it in Centos 7, they are different files rather than a symlink? Can you please check the md5sum for the /bin/passwd file against one of your test machines? I don't seem to be able to download a new version of that file to check, just the jail_safe_passwd file, is that correct or am I missing something. Thanks. /etc/redhat-release:CentOS Linux release 7.6.1810 (Core) grep: /usr/local/cpanel/version/: Not a directory /var/cpanel/envtype:standard CPANEL=release
  The other server is Centos 6, but I think I can work through that using information from previous threads so I won't include that here. Thanks so much for your help

  0
• 

  cPanelMichael

  • June 03, 2019 18:11

  Hello @LoraineB, I checked a test server with the following environment: # cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core)
# rpm -qa|grep passwd passwd-0.79-4.el7.x86_64
  Here are the MD5 and SHA256 checksums on this system you can use to compare with: # md5sum /bin/passwd 792964343f6f916d8025bf9b1eb1e839 /bin/passwd # sha256sum /bin/passwd a92b1b6fb52549ed23b12b32356c6a424d77bcf21bfcfbd32d48e12615785270 /bin/passwd
  Thank you.

  0
• 

  jazee

  • June 10, 2019 17:54

  I've had several servers from multiple years and these MD5 checksums, while great in theory, have created a "Boy Who Cries Wolf" situation as they have been 100% due to system updates and so I just ignore and delete them. The system admin work described in this thread to go verify if they are system updates or not is not a practical solution due to the frequency of these especially with multiple servers. So in reality, while a nice idea in theory, these checksum messages are practically useless. So unless there's a way to make them 'smarter' by seeing if they occur right after an update and then not sending them, I'd like to just turn them off. How?

  0
• 

  cPanelMichael

  • June 10, 2019 18:47

  Hello @jazee, You may want to consider using an alternative such as Immunify360: Additional Security Software - cPanel Knowledge Base - cPanel Documentation Or, if you prefer to use RKHunter, read over their README to determine how to enable or disable specific notification types: Rootkit Hunter / Code / [016a77] /files/README Note the following regarding RKHunter: [QUOTE]

  • cPanel, L.L.C does not provide RootKit Hunter (rkhunter).
  • The Rootkit Hunter project team has not updated rkhunter in over one year.

  
  Thank you.

  0

Please sign in to leave a comment.