Since 56.0.13, passwd hashes do not match
Because Chkrootkit pretty much always flags the /usr/bin/passwd file as being infected, I have written a script that implements the solution found on this site: crybit.com/passwd-infected-chkrootkit/. The script basically detects my current cPanel version and downloads a fresh version of the jail_safe_passwd.xz file from the cPanel repository. It then compares the hash for this file to my local /usr/bin/passwd hash, and lets me know whether they match.
All was fine up to 11.56.0.9, but on May 05 after the update to 11.56.0.13, the hashes no longer match. This has continued to be the case all the way up to the latest 11.56.0.18 update:
May 04 (HASHES MATCH)
cPanel version: 11.56.0.9
Local md5sum: f8f9bbb9f1d7b546b0b54f1be42210e9
Fresh md5sum: f8f9bbb9f1d7b546b0b54f1be42210e9
May 05
cPanel version: 11.56.0.13
Local md5sum: 792964343f6f916d8025bf9b1eb1e839
Fresh md5sum: 7b816cf48ff37d1e2a8c69a9a5b0a776
May 07
cPanel version: 11.56.0.14
Local md5sum: 792964343f6f916d8025bf9b1eb1e839
Fresh md5sum: 7b816cf48ff37d1e2a8c69a9a5b0a776
May 17
cPanel version: 11.56.0.16
Local md5sum: 792964343f6f916d8025bf9b1eb1e839
Fresh md5sum: 5a435d5cb6175c5fd9a3135d988e47fb
May 18
cPanel version: 11.56.0.17
Local md5sum: 792964343f6f916d8025bf9b1eb1e839
Fresh md5sum: 5a435d5cb6175c5fd9a3135d988e47fb
May 20
cPanel version: 11.56.0.18
Local md5sum: 792964343f6f916d8025bf9b1eb1e839
Fresh md5sum: 81ccb41e7ee6f41f0b63fa08e779f929
As you can see, the mismatch started with 11.56.0.13 and though the repository's file continues to change, the local passwd file is still the same. On the same date, May 05, RootkitHunter reported the following:
If I do an md5sum on /usr/local/bin/passwd, it matches the hash from the 11.56.0.18 file on the repository. So I have a couple of questions here:
Warning: The file properties have changed:
File: /usr/bin/passwd
Current hash: 393d9501a912121cc09928ae69bfe34b9bfbb690
Stored hash : 999060eabb2a4e0c4d55d4fee7f45d7c247515a0
Current permissions: 4755 Stored permissions: 0777
Current inode: 53236435 Stored inode: 53236521
Current size: 27832 Stored size: 38
Current file modification time: 1402381676 (10-Jun-2014 02:27:56)
Stored file modification time : 1455918788 (19-Feb-2016 16:53:08)
Warning: The file '/usr/local/bin/passwd' exists on the system, but it is not present in the 'rkhunter.dat' file.If I do an md5sum on /usr/local/bin/passwd, it matches the hash from the 11.56.0.18 file on the repository. So I have a couple of questions here:
- ]
- Why the permissions change on /usr/bin/passwd? And why not keep it updated to the jail_safe_passwd in the system?
- Why the addition of /usr/local/bin/passwd with 11.56.0.13, and why is that the passwd file being kept up to date now?
-
Any chance this might get looked at, cPanel Staff? :-) 0 -
May 26 cPanel version: 11.56.0.21 Local md5sum: 792964343f6f916d8025bf9b1eb1e839 Fresh md5sum: 81ccb41e7ee6f41f0b63fa08e779f929 0 -
Any chance this might get looked at, cPanel Staff? :)
Sure thing, feel free to open a ticket directly to cPanel Technical Support! :)0 -
Sure thing, feel free to open a ticket directly to cPanel Technical Support! :)
If I did that it would be assuming that there was something wrong with cPanel rather than something wrong locally. That's part of the answer I was expecting here, in this forum, before stepping it up to Technical Support. But ok, if that's the only reply I'll get here, then I'll go there. o_O0 -
Ok, after a bit more investigation and some help from my host, we've been able to determine that since cPanel version 11.56.0.13, the /usr/bin/passwd file is now equivalent to the file in the main CentOS repository. You can verify this by running "yum whatprovides /usr/bin/passwd": Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.sonic.net * extras: mirror.hmc.edu * updates: lug.mtu.edu passwd-0.79-4.el7.x86_64 : An utility for setting or changing passwords using PAM Repo : base Matched from: Filename : /usr/bin/passwd passwd-0.79-4.el7.x86_64 : An utility for setting or changing passwords using PAM Repo : installed Matched from: Filename : /usr/bin/passwd
The /usr/bin/local/passwd file is now the one being kept in sync with the cPanel repo's jail_safe_passwd.xz file. I've adjusted my script so that it checks those md5sums against each other. Since I also want to be able to keep an eye on /usr/bin/passwd to make sure it isn't changed, I've incorporated the "rpm -V passwd" command into my script, as well. This will flag any discrepancies in between the local passwd file and the repository it comes from. Now the script outputs the following:CentOS version: 7 cPanel version: 11.56.0.21 -------------------- PASSWD FILE MD5 HASH -------------------- Downloading http://httpupdate.cpanel.net/cpanelsync/11.56.0.21/binaries/linux-c7-x86_64/bin/jail_safe_passwd.xz... Local md5sum: 81ccb41e7ee6f41f0b63fa08e779f929 [/usr/local/bin/passwd] Fresh md5sum: 81ccb41e7ee6f41f0b63fa08e779f929 [jail_safe_passwd.xz] ==> HASHES MATCH Removing downloaded file... ------------------- YUM WARNINGS ------------------- .......T. c /etc/pam.d/passwd ------------------- CHKROOTKIT WARNINGS -------------------
Hopefully this will help anyone else who actively checks their passwd files against tampering and who is puzzled by this change.0 -
Hello, I'm happy to see you were able to find an answer to your question. Thank you for updating this thread with the outcome. 0
Please sign in to leave a comment.
Comments
6 comments