Passwd Infected Chkrootkit

[k2tec]

After last update I have the following probleme on my VPS servers running.
WHM 11.46.0 (build 12)
Chkrootkit 0.50
Checking `passwd'... INFECTED

06-11-2014

Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... INFECTED
Checking `pidof'... not infected

Before update

Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected

This has come up after the last update.

Is this a false positive?

 

[cPanelMichael]

Hello

It's very likely a false positive, however you may want to review your system for any additional signs of an exploit. Check the md5sum of the /bin/passwd file (it should be a symbolic link to /usr/local/cpanel/bin/jail_safe_passwd on CentOS 6 systems) to see if it matches up with what's provided by cPanel.

Thank you.

 

[k2tec]

Thanks for the reply
How do I check this to cpanels md5sum.txt

ps [~]# md5sum /usr/local/cpanel/bin/jail_safe_passwd
bddb53aea267eeb5b55a87 /usr/local/cpanel/bin/jail_safe_passwd

 

[cPanelMichael]

The checksum matches the file as provided by cPanel in an archived form at:

http://httpupdate.cpanel.net/cpanelsync/11.46.0.12/binaries/linux-c6-x86_64/bin/jail_safe_passwd.bz2

Thank you.

 

[k2tec]

Okay they match, so it is a false positive.
Thanks Michael.

 

[zodiac9797]

After last update I have the following probleme on my VPS servers running.
WHM 11.46.0 (build 12)
Chkrootkit 0.50
Checking `passwd'... INFECTED

06-11-2014


Before update


This has come up after the last update.

Is this a false positive?

I can see this warning on all of our dedicated servers since last update to WHM 11.46.0

I quess it's a false warning. It is hard to believe that all of our servers were compromised on the same date.

 

[mbressman]

Same thing here - prior to 11/6 it wasn't showing 'passwd' as infected, and then all of a sudden on 11/6's nightly email and thereafter it started showing 'passwd' as infected. I have my WHM updates set to "RELEASE" and it seems likely that WHM updated itself right around then which could account for this, right? How can I check to see if that's when WHM performed it's update?

Also - any ideas if CHKROOTKIT will be fixed/updated anytime soon to correct this?

Thanks!

 

[cPanelMichael]

The cPanel update logs are stored in:

/var/cpanel/updatelogs/

Chkrootkit is a third-party application that's not developed by cPanel, so you may want to get in touch with it's developers or mailing list to report the issue.

Thank you.

 

[cre8gr]

Hello,

Today the VPS company I'm hosted said that some files were infected in my /tmp/webalizer and /tmp/awstats. After I run maldet I cleaned those files and I said let's see what chkrootkit will find and boom it said passwd INFECTED.

I then ran md5sum and that's what I got for the /usr/local/cpanel/bin/jail_safe_passwd: 7ed882d987f8ad62f53d322091ae3241. Is this OK?

- - - Updated - - -

I forgot to mention my cPanel version is WHM 11.46.0 (build 21).

 

[cPanelMichael]

I forgot to mention my cPanel version is WHM 11.46.0 (build 21).

Please post the output from the following command:

arch

Thank you.

 

[cre8gr]

The output is: x86_64

 

[cPanelMichael]

I then ran md5sum and that's what I got for the /usr/local/cpanel/bin/jail_safe_passwd: 7ed882d987f8ad62f53d322091ae3241. Is this OK?

Yes, this matches the file from our update servers for your architecture. You can test this on your own in the future with commands such as:

mkdir /root/testing
cd /root/testing
wget http://httpupdate.cpanel.net/cpanelsync/11.46.0.22/binaries/linux-c6-x86_64/bin/jail_safe_passwd.bz2
bzip2 -d jail_safe_passwd.bz2
md5sum jail_safe_passwd

Note the download URL will change depending on your version number, system architecture, and OS.

Thank you.

 

[spyke01]

For arch i686 would the URL for 11.50.1.1 be:

http://httpupdate.cpanel.net/cpanelsync/11.50.1.1/binaries/linux-c6-i686/bin/jail_safe_passwd.bz2

I tried that but it didn't work however the i386 one downloaded.

My checksums do not match so can i simply move the downloaded copy over the /usr/local/cpanel/bin/jail_safe_passwd and be safe again?

 

[cPanelMichael]

My checksums do not match so can i simply move the downloaded copy over the /usr/local/cpanel/bin/jail_safe_passwd and be safe again?

Hello

What OS is installed on your server?

Thank you.

 

[spyke01]

CENTOS 5.11 i686 standard the specifics from uname are:

[[email protected] testing]# uname -r
2.6.32-042stab053.5

 

[cPanelMichael]

New CENTOS 5.11 i686 standard the specifics from uname are:

You are using the wrong URL if CentOS 5 is installed on your system. The correct URL is:

http://httpupdate.cpanel.net/cpanelsync/11.50.1.1/binaries/linux-c5-i386/bin/jail_safe_passwd.bz2

Thank you.

 

[spyke01]

Awesome thanks, looks like it was a false positive.

 

[UHLHosting]

[email protected] [~/chkrootkit-0.50]# md5sum /bin/passwd
792964343f6f916d8025bf9b1eb1e839 /bin/passwd
[email protected] [~/chkrootkit-0.50]# md5sum /usr/local/cpanel/bin/jail_safe_passwd
f3b065b4354be16b83ecdef71da622b8 /usr/local/cpanel/bin/jail_safe_passwd
[email protected] [~/chkrootkit-0.50]#

 

[cPanelMichael]

[email protected] [~/chkrootkit-0.50]# md5sum /bin/passwd
792964343f6f916d8025bf9b1eb1e839 /bin/passwd
[email protected] [~/chkrootkit-0.50]# md5sum /usr/local/cpanel/bin/jail_safe_passwd
f3b065b4354be16b83ecdef71da622b8 /usr/local/cpanel/bin/jail_safe_passwd
[email protected] [~/chkrootkit-0.50]#

Hello,

Could you elaborate on the context of this post? For instance, what issue are you attempting to address, or what particular information are you attempting to verify?

Thank you.

 

[UHLHosting]

If my passwd is infected, so as chkrootkit say it is.