Passwd Infected Chkrootkit

k2tec

Well-Known Member
Aug 26, 2011
104
5
68
Netherlands
cPanel Access Level
Root Administrator
After last update I have the following probleme on my VPS servers running.
WHM 11.46.0 (build 12)
Chkrootkit 0.50
Checking `passwd'... INFECTED

06-11-2014
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... INFECTED
Checking `pidof'... not infected
Before update
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
This has come up after the last update.

Is this a false positive?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,219
463
Hello :)

It's very likely a false positive, however you may want to review your system for any additional signs of an exploit. Check the md5sum of the /bin/passwd file (it should be a symbolic link to /usr/local/cpanel/bin/jail_safe_passwd on CentOS 6 systems) to see if it matches up with what's provided by cPanel.

Thank you.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,219
463
The checksum matches the file as provided by cPanel in an archived form at:

Code:
http://httpupdate.cpanel.net/cpanelsync/11.46.0.12/binaries/linux-c6-x86_64/bin/jail_safe_passwd.bz2
Thank you.
 

zodiac9797

Active Member
Apr 17, 2011
37
4
58
After last update I have the following probleme on my VPS servers running.
WHM 11.46.0 (build 12)
Chkrootkit 0.50
Checking `passwd'... INFECTED

06-11-2014


Before update


This has come up after the last update.

Is this a false positive?

I can see this warning on all of our dedicated servers since last update to WHM 11.46.0

I quess it's a false warning. It is hard to believe that all of our servers were compromised on the same date. :)
 

mbressman

Active Member
Jan 31, 2006
40
0
156
Same thing here - prior to 11/6 it wasn't showing 'passwd' as infected, and then all of a sudden on 11/6's nightly email and thereafter it started showing 'passwd' as infected. I have my WHM updates set to "RELEASE" and it seems likely that WHM updated itself right around then which could account for this, right? How can I check to see if that's when WHM performed it's update?

Also - any ideas if CHKROOTKIT will be fixed/updated anytime soon to correct this?

Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,219
463
The cPanel update logs are stored in:

/var/cpanel/updatelogs/

Chkrootkit is a third-party application that's not developed by cPanel, so you may want to get in touch with it's developers or mailing list to report the issue.

Thank you.
 

cre8gr

Member
Nov 5, 2014
9
0
51
cPanel Access Level
Root Administrator
Hello,

Today the VPS company I'm hosted said that some files were infected in my /tmp/webalizer and /tmp/awstats. After I run maldet I cleaned those files and I said let's see what chkrootkit will find and boom it said passwd INFECTED.

I then ran md5sum and that's what I got for the /usr/local/cpanel/bin/jail_safe_passwd: 7ed882d987f8ad62f53d322091ae3241. Is this OK?

- - - Updated - - -

I forgot to mention my cPanel version is WHM 11.46.0 (build 21).
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,219
463
I forgot to mention my cPanel version is WHM 11.46.0 (build 21).
Please post the output from the following command:

Code:
arch
Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,219
463
I then ran md5sum and that's what I got for the /usr/local/cpanel/bin/jail_safe_passwd: 7ed882d987f8ad62f53d322091ae3241. Is this OK?
Yes, this matches the file from our update servers for your architecture. You can test this on your own in the future with commands such as:

Code:
mkdir /root/testing
cd /root/testing
wget http://httpupdate.cpanel.net/cpanelsync/11.46.0.22/binaries/linux-c6-x86_64/bin/jail_safe_passwd.bz2
bzip2 -d jail_safe_passwd.bz2
md5sum jail_safe_passwd
Note the download URL will change depending on your version number, system architecture, and OS.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,219
463
My checksums do not match so can i simply move the downloaded copy over the /usr/local/cpanel/bin/jail_safe_passwd and be safe again?
Hello :)

What OS is installed on your server?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,219
463
New CENTOS 5.11 i686 standard the specifics from uname are:
You are using the wrong URL if CentOS 5 is installed on your system. The correct URL is:

Code:
http://httpupdate.cpanel.net/cpanelsync/11.50.1.1/binaries/linux-c5-i386/bin/jail_safe_passwd.bz2
Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,219
463
[email protected] [~/chkrootkit-0.50]# md5sum /bin/passwd
792964343f6f916d8025bf9b1eb1e839 /bin/passwd
[email protected] [~/chkrootkit-0.50]# md5sum /usr/local/cpanel/bin/jail_safe_passwd
f3b065b4354be16b83ecdef71da622b8 /usr/local/cpanel/bin/jail_safe_passwd
[email protected] [~/chkrootkit-0.50]#
Hello,

Could you elaborate on the context of this post? For instance, what issue are you attempting to address, or what particular information are you attempting to verify?

Thank you.