Passwd Infected Chkrootkit

k2tec

• November 06, 2014 02:10

After last update I have the following probleme on my VPS servers running. WHM 11.46.0 (build 12) Chkrootkit 0.50 Checking `passwd'... INFECTED 06-11-2014 Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... INFECTED Checking `pidof'... not infected
Before update Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected
This has come up after the last update. Is this a false positive?

• 

  cPanelMichael

  • November 06, 2014 17:14

  Hello :) It's very likely a false positive, however you may want to review your system for any additional signs of an exploit. Check the md5sum of the /bin/passwd file (it should be a symbolic link to /usr/local/cpanel/bin/jail_safe_passwd on CentOS 6 systems) to see if it matches up with what's provided by cPanel. Thank you.

  0
• 

  k2tec

  • November 06, 2014 19:03

  Thanks for the reply How do I check this to cpanels md5sum.txt ps [~]# md5sum /usr/local/cpanel/bin/jail_safe_passwd bddb53aea267eeb5b55a87 /usr/local/cpanel/bin/jail_safe_passwd
  

  0
• 

  cPanelMichael

  • November 06, 2014 20:39

  The checksum matches the file as provided by cPanel in an archived form at:
  http://httpupdate.cpanel.net/cpanelsync/11.46.0.12/binaries/linux-c6-x86_64/bin/jail_safe_passwd.bz2
  Thank you.

  0
• 

  k2tec

  • November 07, 2014 07:43

  Okay they match, so it is a false positive. Thanks Michael.

  0
• 

  zodiac9797

  • November 07, 2014 10:38

  ]After last update I have the following probleme on my VPS servers running. WHM 11.46.0 (build 12) Chkrootkit 0.50 Checking `passwd'... INFECTED 06-11-2014 Before update This has come up after the last update. Is this a false positive?

  
  I can see this warning on all of our dedicated servers since last update to WHM 11.46.0 I quess it's a false warning. It is hard to believe that all of our servers were compromised on the same date. :)

  0
• 

  mbressman

  • November 12, 2014 12:46

  Same thing here - prior to 11/6 it wasn't showing 'passwd' as infected, and then all of a sudden on 11/6's nightly email and thereafter it started showing 'passwd' as infected. I have my WHM updates set to "RELEASE" and it seems likely that WHM updated itself right around then which could account for this, right? How can I check to see if that's when WHM performed it's update? Also - any ideas if CHKROOTKIT will be fixed/updated anytime soon to correct this? Thanks!

  0
• 

  cPanelMichael

  • November 12, 2014 18:42

  The cPanel update logs are stored in: /var/cpanel/updatelogs/ Chkrootkit is a third-party application that's not developed by cPanel, so you may want to get in touch with it's developers or mailing list to report the issue. Thank you.

  0
• 

  cre8gr

  • December 09, 2014 16:48

  Hello, Today the VPS company I'm hosted said that some files were infected in my /tmp/webalizer and /tmp/awstats. After I run maldet I cleaned those files and I said let's see what chkrootkit will find and boom it said passwd INFECTED. I then ran md5sum and that's what I got for the /usr/local/cpanel/bin/jail_safe_passwd: 7ed882d987f8ad62f53d322091ae3241. Is this OK? [COLOR="silver">- - - Updated - - - I forgot to mention my cPanel version is WHM 11.46.0 (build 21).

  0
• 

  cPanelMichael

  • December 09, 2014 17:58

  ]I forgot to mention my cPanel version is WHM 11.46.0 (build 21).

  
  Please post the output from the following command:
  arch
  Thank you.

  0
• 

  cre8gr

  • December 10, 2014 05:34

  The output is: x86_64

  0
• 

  cPanelMichael

  • December 10, 2014 13:52

  ]I then ran md5sum and that's what I got for the /usr/local/cpanel/bin/jail_safe_passwd: 7ed882d987f8ad62f53d322091ae3241. Is this OK?

  
  Yes, this matches the file from our update servers for your architecture. You can test this on your own in the future with commands such as:
  mkdir /root/testing cd /root/testing wget http://httpupdate.cpanel.net/cpanelsync/11.46.0.22/binaries/linux-c6-x86_64/bin/jail_safe_passwd.bz2 bzip2 -d jail_safe_passwd.bz2 md5sum jail_safe_passwd
  Note the download URL will change depending on your version number, system architecture, and OS. Thank you.

  0
• 

  spyke01

  • August 18, 2015 12:47

  For arch i686 would the URL for 11.50.1.1 be:

  0
• 

  cPanelMichael

  • August 18, 2015 14:44

  My checksums do not match so can i simply move the downloaded copy over the /usr/local/cpanel/bin/jail_safe_passwd and be safe again?

  
  Hello :) What OS is installed on your server? Thank you.

  0
• 

  spyke01

  • August 18, 2015 14:47

  CENTOS 5.11 i686 standard the specifics from uname are: [root@server testing]# uname -r 2.6.32-042stab053.5
  

  0
• 

  cPanelMichael

  • August 18, 2015 14:48

  New CENTOS 5.11 i686 standard the specifics from uname are:

  
  You are using the wrong URL if CentOS 5 is installed on your system. The correct URL is:
  http://httpupdate.cpanel.net/cpanelsync/11.50.1.1/binaries/linux-c5-i386/bin/jail_safe_passwd.bz2
  Thank you.

  0
• 

  spyke01

  • August 18, 2015 14:50

  Awesome thanks, looks like it was a false positive.

  0
• 

  UHLHosting

  • July 29, 2016 08:44

  root@panel [~/chkrootkit-0.50]# md5sum /bin/passwd 792964343f6f916d8025bf9b1eb1e839 /bin/passwd root@panel [~/chkrootkit-0.50]# md5sum /usr/local/cpanel/bin/jail_safe_passwd f3b065b4354be16b83ecdef71da622b8 /usr/local/cpanel/bin/jail_safe_passwd root@panel [~/chkrootkit-0.50]#

  0
• 

  cPanelMichael

  • July 29, 2016 17:31

  root@panel [~/chkrootkit-0.50]# md5sum /bin/passwd 792964343f6f916d8025bf9b1eb1e839 /bin/passwd root@panel [~/chkrootkit-0.50]# md5sum /usr/local/cpanel/bin/jail_safe_passwd f3b065b4354be16b83ecdef71da622b8 /usr/local/cpanel/bin/jail_safe_passwd root@panel [~/chkrootkit-0.50]#

  
  Hello, Could you elaborate on the context of this post? For instance, what issue are you attempting to address, or what particular information are you attempting to verify? Thank you.

  0
• 

  UHLHosting

  • July 29, 2016 18:37

  If my passwd is infected, so as chkrootkit say it is.

  0
• 

  cPanelMichael

  • August 01, 2016 18:29

  If my passwd is infected, so as chkrootkit say it is.

  
  Please see the following post for instructions on how to test this: Passwd Infected Chkrootkit - Post 1787952 Thank you.

  0
• 

  UHLHosting

  • August 02, 2016 18:11

  Hello, Could you elaborate on the context of this post? For instance, what issue are you attempting to address, or what particular information are you attempting to verify? Thank you.

  
  I also get from chkrootkit a message that /passwd is infected.

  0
• 

  cPanelMichael

  • August 02, 2016 18:28

  I also get from chkrootkit a message that /passwd is infected.

  
  It's likely a false positive. Have you reviewed the post referenced in my previous response to verify if that's the case? Thank you.

  0
• 

  Spork Schivago

  • August 03, 2016 00:24

  For anyone interested, I made a patch with instructions on how to use the patch for chkrootkit-0.50 to make it a bit more cPanel friendly. I've been using it for a few months now with no issues. If anyone wants to try it, it's located: Custom Chkrootkit Feel free to comment in that thread about it and if you have any suggestions, please leave them. Thank you!

  0

Please sign in to leave a comment.