Passwd Infected Chkrootkit

net@work

• November 09, 2021 02:05

After last update I have the following problem on my server. WHM 11.98.0.11 Checking `passwd'... INFECTED Today after yesterday update from 11.98.0.10 to 11.98.0.11 Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... INFECTED Checking `pidof'... not infected
Before update Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected
This has come up after the last update. Is this a false positive? Also I try to check md5sum comparison like this: mkdir /root/testing cd /root/testing wget http://httpupdate.cpanel.net/cpanelsync/11.98.0.11/binaries/linux-c7-x86_64/bin/jail_safe_passwd.xz unxz jail_safe_passwd.xz md5sum jail_safe_passwd md5sum /usr/local/cpanel/bin/jail_safe_passwd
The md5sum from jail_safe_passwd.xz and from /usr/local/cpanel/bin/jail_safe_passwd MATCHES. But the md5sum from /bin/passwd and /usr/local/cpanel/bin/jail_safe_passwd are not the same (but before the update if I recall well there aren't the same and I don't have any INFECTED message). Thanks in advance.

• 

  HostNoc

  • November 09, 2021 07:29

  an you run the following commands and let us know the output? sha256sum /bin/passwd sha256sum /usr/bin/passwd Regards HostNoc

  0
• 

  net@work

  • November 09, 2021 07:43

  Thank you @HostNoc

  0
• 

  cPanelAnthony

  • November 09, 2021 12:35

  The passwd INFECTED warning you see from chkrootkit is a common false-positive on cPanel servers. This is because cPanel has modified that binary so it can be used with JailShell. I would suggest opening a support ticket using the link in my signature (or asking your provider to open one for you) so we can investigate for any potential issues. Provide me with the ID once open if you can.

  0
• 

  net@work

  • November 09, 2021 16:44

  Hello @cPanelAnthony Is possible to make a test server with the latest enviroment of centos 7, x86_64 and WHM 11.98.0.11 and compare the MD5 and SHA256 checksums as this old thread from @cPanelMichael here: Thank you.

  0
• 

  cPanelAnthony

  • November 09, 2021 20:19

  [QUOTE="net@work, post: 2886005, member: 813191"] Hello @cPanelAnthony Is possible to make a test server with the latest enviroment of centos 7, x86_64 and WHM 11.98.0.11 and compare the MD5 and SHA256 checksums as this old thread from @cPanelMichael here:

  0
• 

  cPanelAnthony

  • November 11, 2021 19:33

  Hello again! It looks like this should be possible. However, it might be best if you open a ticket so we can review the issue briefly. Are you able to do so using the link in my signature?

  0

Please sign in to leave a comment.