Checking passwd md5
1- The download for jail_safe_passwd.bz2 is now a .xz, correct?
2- Downloaded:
Based on: CentOS 7.4, WHM 68.0.21 # arch x86_64 Correct? --------------- Then I checked these:
Contrary to what I read on this forum in older posts /bin/passwd is NOT a symlink to /usr/local/cpanel/bin/jail_safe_passwd Has this changed, or else what might be the cause? (This is all prompted by chkrootkit-0.52 reporting "Checking `passwd'... INFECTED" which is a know common false positive, but now I'm concerned. Today is the first time it has reported this, and the only thing I know of that changed was updating rkhunter from 1.4.2 to 1.4.4)
wget http://httpupdate.cpanel.net/cpanelsync/11.68.0.21/binaries/linux-c7-x86_64/bin/jail_safe_passwd.xzBased on: CentOS 7.4, WHM 68.0.21 # arch x86_64 Correct? --------------- Then I checked these:
# md5sum /root/test/jail_safe_passwd
77d6231844a183b7e44234f42e6b636f jail_safe_passwd
# md5sum /usr/local/cpanel/bin/jail_safe_passwd
77d6231844a183b7e44234f42e6b636f /usr/local/cpanel/bin/jail_safe_passwd
# md5sum /bin/passwd
792964343f6f916d8025bf9b1eb1e839 /bin/passwd
Contrary to what I read on this forum in older posts /bin/passwd is NOT a symlink to /usr/local/cpanel/bin/jail_safe_passwd Has this changed, or else what might be the cause? (This is all prompted by chkrootkit-0.52 reporting "Checking `passwd'... INFECTED" which is a know common false positive, but now I'm concerned. Today is the first time it has reported this, and the only thing I know of that changed was updating rkhunter from 1.4.2 to 1.4.4)
-
Hello, Yes, that's the correct archive location for that file from our download mirrors. The MD5 checksums you provided match a test system running CentOS 7.4 and cPanel 68.0.21: # md5sum /bin/passwd 792964343f6f916d8025bf9b1eb1e839 /bin/passwd # md5sum /usr/local/cpanel/bin/jail_safe_passwd 77d6231844a183b7e44234f42e6b636f /usr/local/cpanel/bin/jail_safe_passwd
These are two separate files. Thank you.0 -
These are two separate files.
Thanks. You missed my second question. From Passwd Infected Chkrootkit "Check the md5sum of the /bin/passwd file (it should be a symbolic link to /usr/local/cpanel/bin/jail_safe_passwd)..." Was that statement an error, or has this changed? -Pete0 -
Hello Pete, It's the case with CentOS 6.x, but it's not applicable to CentOS 7.x. I've updated that post to reflect that information. Thank you. 0 -
Thanks for the clarification! :) 0
Please sign in to leave a comment.
Comments
4 comments