The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Passwd Infected Chkrootkit

Discussion in 'Security' started by k2tec, Nov 6, 2014.

Page 1 of 2
  1. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    95
    Likes Received:
    2
    Trophy Points:
    58
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    After last update I have the following probleme on my VPS servers running.
    WHM 11.46.0 (build 12)
    Chkrootkit 0.50
    Checking `passwd'... INFECTED

    06-11-2014
    Before update
    This has come up after the last update.

    Is this a false positive?
     
    #1 k2tec, Nov 6, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    35,630
    Likes Received:
    1,136
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's very likely a false positive, however you may want to review your system for any additional signs of an exploit. Check the md5sum of the /bin/passwd file (it should be a symbolic link to /usr/local/cpanel/bin/jail_safe_passwd) to see if it matches up with what's provided by cPanel.

    Thank you.
     
    #2 cPanelMichael, Nov 6, 2014
  3. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    95
    Likes Received:
    2
    Trophy Points:
    58
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Thanks for the reply
    How do I check this to cpanels md5sum.txt
     
    #3 k2tec, Nov 6, 2014
    Last edited: Nov 7, 2014
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    35,630
    Likes Received:
    1,136
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    The checksum matches the file as provided by cPanel in an archived form at:

    Code:
    http://httpupdate.cpanel.net/cpanelsync/11.46.0.12/binaries/linux-c6-x86_64/bin/jail_safe_passwd.bz2
    Thank you.
     
    #4 cPanelMichael, Nov 6, 2014
  5. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    95
    Likes Received:
    2
    Trophy Points:
    58
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Okay they match, so it is a false positive.
    Thanks Michael.
     
    #5 k2tec, Nov 7, 2014
  6. zodiac9797

    zodiac9797 Member

    Joined:
    Apr 17, 2011
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    51

    I can see this warning on all of our dedicated servers since last update to WHM 11.46.0

    I quess it's a false warning. It is hard to believe that all of our servers were compromised on the same date. :)
     
    #6 zodiac9797, Nov 7, 2014
  7. mbressman

    mbressman Active Member

    Joined:
    Jan 31, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    151
    Same thing here - prior to 11/6 it wasn't showing 'passwd' as infected, and then all of a sudden on 11/6's nightly email and thereafter it started showing 'passwd' as infected. I have my WHM updates set to "RELEASE" and it seems likely that WHM updated itself right around then which could account for this, right? How can I check to see if that's when WHM performed it's update?

    Also - any ideas if CHKROOTKIT will be fixed/updated anytime soon to correct this?

    Thanks!
     
    #7 mbressman, Nov 12, 2014
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    35,630
    Likes Received:
    1,136
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    The cPanel update logs are stored in:

    /var/cpanel/updatelogs/

    Chkrootkit is a third-party application that's not developed by cPanel, so you may want to get in touch with it's developers or mailing list to report the issue.

    Thank you.
     
    #8 cPanelMichael, Nov 12, 2014
  9. cre8gr

    cre8gr Member

    Joined:
    Nov 5, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    Today the VPS company I'm hosted said that some files were infected in my /tmp/webalizer and /tmp/awstats. After I run maldet I cleaned those files and I said let's see what chkrootkit will find and boom it said passwd INFECTED.

    I then ran md5sum and that's what I got for the /usr/local/cpanel/bin/jail_safe_passwd: 7ed882d987f8ad62f53d322091ae3241. Is this OK?

    - - - Updated - - -

    I forgot to mention my cPanel version is WHM 11.46.0 (build 21).
     
    #9 cre8gr, Dec 9, 2014
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    35,630
    Likes Received:
    1,136
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Please post the output from the following command:

    Code:
    arch
    Thank you.
     
    #10 cPanelMichael, Dec 9, 2014
  11. cre8gr

    cre8gr Member

    Joined:
    Nov 5, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The output is: x86_64
     
    #11 cre8gr, Dec 10, 2014
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    35,630
    Likes Received:
    1,136
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Yes, this matches the file from our update servers for your architecture. You can test this on your own in the future with commands such as:

    Code:
    mkdir /root/testing
cd /root/testing
wget http://httpupdate.cpanel.net/cpanelsync/11.46.0.22/binaries/linux-c6-x86_64/bin/jail_safe_passwd.bz2
bzip2 -d jail_safe_passwd.bz2
md5sum jail_safe_passwd
    Note the download URL will change depending on your version number, system architecture, and OS.

    Thank you.
     
    #12 cPanelMichael, Dec 10, 2014
  13. spyke01

    spyke01 Member

    Joined:
    Sep 24, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    #13 spyke01, Aug 18, 2015
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    35,630
    Likes Received:
    1,136
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    What OS is installed on your server?

    Thank you.
     
    #14 cPanelMichael, Aug 18, 2015
  15. spyke01

    spyke01 Member

    Joined:
    Sep 24, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    CENTOS 5.11 i686 standard the specifics from uname are:

     
    #15 spyke01, Aug 18, 2015
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    35,630
    Likes Received:
    1,136
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    You are using the wrong URL if CentOS 5 is installed on your system. The correct URL is:

    Code:
    http://httpupdate.cpanel.net/cpanelsync/11.50.1.1/binaries/linux-c5-i386/bin/jail_safe_passwd.bz2
    Thank you.
     
    #16 cPanelMichael, Aug 18, 2015
  17. spyke01

    spyke01 Member

    Joined:
    Sep 24, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Awesome thanks, looks like it was a false positive.
     
    #17 spyke01, Aug 18, 2015
  18. UHLHosting

    UHLHosting Well-Known Member

    Joined:
    Sep 26, 2014
    Messages:
    53
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Bratislava
    cPanel Access Level:
    Root Administrator
    Twitter:
    root@panel [~/chkrootkit-0.50]# md5sum /bin/passwd
    792964343f6f916d8025bf9b1eb1e839 /bin/passwd
    root@panel [~/chkrootkit-0.50]# md5sum /usr/local/cpanel/bin/jail_safe_passwd
    f3b065b4354be16b83ecdef71da622b8 /usr/local/cpanel/bin/jail_safe_passwd
    root@panel [~/chkrootkit-0.50]#
     
    #18 UHLHosting, Jul 29, 2016
  19. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    35,630
    Likes Received:
    1,136
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you elaborate on the context of this post? For instance, what issue are you attempting to address, or what particular information are you attempting to verify?

    Thank you.
     
    #19 cPanelMichael, Jul 29, 2016
  20. UHLHosting

    UHLHosting Well-Known Member

    Joined:
    Sep 26, 2014
    Messages:
    53
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Bratislava
    cPanel Access Level:
    Root Administrator
    Twitter:
    If my passwd is infected, so as chkrootkit say it is.
     
    #20 UHLHosting, Jul 29, 2016
(You must log in or sign up to post here.)
Page 1 of 2
Loading...
Similar Threads - Passwd Infected Chkrootkit
  1. jaheller

    passwdpop() function strength rating

    jaheller, Jun 12, 2017, in forum: cPanel Developers
    Replies:
    1
    Views:
    50
    cPanelMichael
    Jun 13, 2017
  2. gn0s1s

    Since 56.0.13, passwd hashes do not match

    gn0s1s, May 22, 2016, in forum: cPanel Developers
    Replies:
    6
    Views:
    572
    cPanelMichael
    Jun 2, 2016
  3. Justin Wanstall

    Global passwd file?

    Justin Wanstall, Feb 12, 2016, in forum: General Discussion
    Replies:
    2
    Views:
    356
    cPanelMichael
    Feb 15, 2016
  4. Serge SX

    passwdpop function (cPanel API2) question

    Serge SX, Jan 13, 2016, in forum: cPanel Developers
    Replies:
    2
    Views:
    569
    Serge SX
    Jan 13, 2016
  5. epanagio

    lfd /bin/passwd: FAILED

    epanagio, Oct 22, 2015, in forum: General Discussion
    Replies:
    6
    Views:
    913
    cPanelMichael
    Mar 22, 2017

Share This Page