Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Passwd Infected Chkrootkit

Discussion in 'Security' started by k2tec, Nov 6, 2014.

Page 1 of 2
  1. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    98
    Likes Received:
    3
    Trophy Points:
    58
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    After last update I have the following probleme on my VPS servers running.
    WHM 11.46.0 (build 12)
    Chkrootkit 0.50
    Checking `passwd'... INFECTED

    06-11-2014
    Before update
    This has come up after the last update.

    Is this a false positive?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 k2tec, Nov 6, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,617
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's very likely a false positive, however you may want to review your system for any additional signs of an exploit. Check the md5sum of the /bin/passwd file (it should be a symbolic link to /usr/local/cpanel/bin/jail_safe_passwd on CentOS 6 systems) to see if it matches up with what's provided by cPanel.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelMichael, Nov 6, 2014
    Last edited: Jan 3, 2018
  3. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    98
    Likes Received:
    3
    Trophy Points:
    58
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Thanks for the reply
    How do I check this to cpanels md5sum.txt
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 k2tec, Nov 6, 2014
    Last edited: Nov 7, 2014
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,617
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    The checksum matches the file as provided by cPanel in an archived form at:

    Code:
    http://httpupdate.cpanel.net/cpanelsync/11.46.0.12/binaries/linux-c6-x86_64/bin/jail_safe_passwd.bz2
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 cPanelMichael, Nov 6, 2014
  5. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    98
    Likes Received:
    3
    Trophy Points:
    58
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Okay they match, so it is a false positive.
    Thanks Michael.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 k2tec, Nov 7, 2014
  6. zodiac9797

    zodiac9797 Member

    Joined:
    Apr 17, 2011
    Messages:
    17
    Likes Received:
    3
    Trophy Points:
    53

    I can see this warning on all of our dedicated servers since last update to WHM 11.46.0

    I quess it's a false warning. It is hard to believe that all of our servers were compromised on the same date. :)
     
    #6 zodiac9797, Nov 7, 2014
  7. mbressman

    mbressman Active Member

    Joined:
    Jan 31, 2006
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    151
    Same thing here - prior to 11/6 it wasn't showing 'passwd' as infected, and then all of a sudden on 11/6's nightly email and thereafter it started showing 'passwd' as infected. I have my WHM updates set to "RELEASE" and it seems likely that WHM updated itself right around then which could account for this, right? How can I check to see if that's when WHM performed it's update?

    Also - any ideas if CHKROOTKIT will be fixed/updated anytime soon to correct this?

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 mbressman, Nov 12, 2014
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,617
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    The cPanel update logs are stored in:

    /var/cpanel/updatelogs/

    Chkrootkit is a third-party application that's not developed by cPanel, so you may want to get in touch with it's developers or mailing list to report the issue.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #8 cPanelMichael, Nov 12, 2014
  9. cre8gr

    cre8gr Member

    Joined:
    Nov 5, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    Today the VPS company I'm hosted said that some files were infected in my /tmp/webalizer and /tmp/awstats. After I run maldet I cleaned those files and I said let's see what chkrootkit will find and boom it said passwd INFECTED.

    I then ran md5sum and that's what I got for the /usr/local/cpanel/bin/jail_safe_passwd: 7ed882d987f8ad62f53d322091ae3241. Is this OK?

    - - - Updated - - -

    I forgot to mention my cPanel version is WHM 11.46.0 (build 21).
     
    #9 cre8gr, Dec 9, 2014
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,617
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Please post the output from the following command:

    Code:
    arch
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #10 cPanelMichael, Dec 9, 2014
  11. cre8gr

    cre8gr Member

    Joined:
    Nov 5, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The output is: x86_64
     
    #11 cre8gr, Dec 10, 2014
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,617
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Yes, this matches the file from our update servers for your architecture. You can test this on your own in the future with commands such as:

    Code:
    mkdir /root/testing
cd /root/testing
wget http://httpupdate.cpanel.net/cpanelsync/11.46.0.22/binaries/linux-c6-x86_64/bin/jail_safe_passwd.bz2
bzip2 -d jail_safe_passwd.bz2
md5sum jail_safe_passwd
    Note the download URL will change depending on your version number, system architecture, and OS.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #12 cPanelMichael, Dec 10, 2014
  13. spyke01

    spyke01 Member

    Joined:
    Sep 24, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    #13 spyke01, Aug 18, 2015
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,617
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    What OS is installed on your server?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #14 cPanelMichael, Aug 18, 2015
  15. spyke01

    spyke01 Member

    Joined:
    Sep 24, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    CENTOS 5.11 i686 standard the specifics from uname are:

     
    #15 spyke01, Aug 18, 2015
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,617
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    You are using the wrong URL if CentOS 5 is installed on your system. The correct URL is:

    Code:
    http://httpupdate.cpanel.net/cpanelsync/11.50.1.1/binaries/linux-c5-i386/bin/jail_safe_passwd.bz2
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #16 cPanelMichael, Aug 18, 2015
  17. spyke01

    spyke01 Member

    Joined:
    Sep 24, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Awesome thanks, looks like it was a false positive.
     
    #17 spyke01, Aug 18, 2015
  18. UHLHosting

    UHLHosting Well-Known Member

    Joined:
    Sep 26, 2014
    Messages:
    58
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Bratislava
    cPanel Access Level:
    Root Administrator
    Twitter:
    root@panel [~/chkrootkit-0.50]# md5sum /bin/passwd
    792964343f6f916d8025bf9b1eb1e839 /bin/passwd
    root@panel [~/chkrootkit-0.50]# md5sum /usr/local/cpanel/bin/jail_safe_passwd
    f3b065b4354be16b83ecdef71da622b8 /usr/local/cpanel/bin/jail_safe_passwd
    root@panel [~/chkrootkit-0.50]#
     
    #18 UHLHosting, Jul 29, 2016
  19. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,617
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you elaborate on the context of this post? For instance, what issue are you attempting to address, or what particular information are you attempting to verify?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #19 cPanelMichael, Jul 29, 2016
  20. UHLHosting

    UHLHosting Well-Known Member

    Joined:
    Sep 26, 2014
    Messages:
    58
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Bratislava
    cPanel Access Level:
    Root Administrator
    Twitter:
    If my passwd is infected, so as chkrootkit say it is.
     
    #20 UHLHosting, Jul 29, 2016
(You must log in or sign up to post here.)
Page 1 of 2
Loading...
Similar Threads - Passwd Infected Chkrootkit
  1. PeteS

    Checking passwd md5

    PeteS, Dec 30, 2017, in forum: Security
    Replies:
    4
    Views:
    247
    PeteS
    Jan 3, 2018
  2. Henry Aspden

    What is /tmp/passwd-reset.sh ?

    Henry Aspden, Dec 15, 2017, in forum: Security
    Replies:
    5
    Views:
    250
    quizknows
    Dec 15, 2017
  3. weeming21

    SOLVED api token passwd problem

    weeming21, Dec 7, 2017, in forum: cPanel Developers
    Replies:
    5
    Views:
    288
    cPanelMichael
    Dec 8, 2017
  4. gramzon

    All e-mail accounts have the same UID in passwd file

    gramzon, Dec 4, 2017, in forum: E-mail Discussion
    Replies:
    2
    Views:
    191
    cPanelMichael
    Dec 4, 2017
  5. jaheller

    passwdpop() function strength rating

    jaheller, Jun 12, 2017, in forum: cPanel Developers
    Replies:
    1
    Views:
    480
    cPanelMichael
    Jun 13, 2017

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice