The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Passwd Infected Chkrootkit

Discussion in 'Security' started by k2tec, Nov 6, 2014.

  1. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    After last update I have the following probleme on my VPS servers running.
    WHM 11.46.0 (build 12)
    Chkrootkit 0.50
    Checking `passwd'... INFECTED

    06-11-2014
    Before update
    This has come up after the last update.

    Is this a false positive?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's very likely a false positive, however you may want to review your system for any additional signs of an exploit. Check the md5sum of the /bin/passwd file (it should be a symbolic link to /usr/local/cpanel/bin/jail_safe_passwd) to see if it matches up with what's provided by cPanel.

    Thank you.
     
  3. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Thanks for the reply
    How do I check this to cpanels md5sum.txt
     
    #3 k2tec, Nov 6, 2014
    Last edited: Nov 7, 2014
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The checksum matches the file as provided by cPanel in an archived form at:

    Code:
    http://httpupdate.cpanel.net/cpanelsync/11.46.0.12/binaries/linux-c6-x86_64/bin/jail_safe_passwd.bz2
    Thank you.
     
  5. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Okay they match, so it is a false positive.
    Thanks Michael.
     
  6. zodiac9797

    zodiac9797 Member

    Joined:
    Apr 17, 2011
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1

    I can see this warning on all of our dedicated servers since last update to WHM 11.46.0

    I quess it's a false warning. It is hard to believe that all of our servers were compromised on the same date. :)
     
  7. mbressman

    mbressman Active Member

    Joined:
    Jan 31, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Same thing here - prior to 11/6 it wasn't showing 'passwd' as infected, and then all of a sudden on 11/6's nightly email and thereafter it started showing 'passwd' as infected. I have my WHM updates set to "RELEASE" and it seems likely that WHM updated itself right around then which could account for this, right? How can I check to see if that's when WHM performed it's update?

    Also - any ideas if CHKROOTKIT will be fixed/updated anytime soon to correct this?

    Thanks!
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The cPanel update logs are stored in:

    /var/cpanel/updatelogs/

    Chkrootkit is a third-party application that's not developed by cPanel, so you may want to get in touch with it's developers or mailing list to report the issue.

    Thank you.
     
  9. cre8gr

    cre8gr Member

    Joined:
    Nov 5, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    Today the VPS company I'm hosted said that some files were infected in my /tmp/webalizer and /tmp/awstats. After I run maldet I cleaned those files and I said let's see what chkrootkit will find and boom it said passwd INFECTED.

    I then ran md5sum and that's what I got for the /usr/local/cpanel/bin/jail_safe_passwd: 7ed882d987f8ad62f53d322091ae3241. Is this OK?

    - - - Updated - - -

    I forgot to mention my cPanel version is WHM 11.46.0 (build 21).
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Please post the output from the following command:

    Code:
    arch
    Thank you.
     
  11. cre8gr

    cre8gr Member

    Joined:
    Nov 5, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The output is: x86_64
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, this matches the file from our update servers for your architecture. You can test this on your own in the future with commands such as:

    Code:
    mkdir /root/testing
    cd /root/testing
    wget http://httpupdate.cpanel.net/cpanelsync/11.46.0.22/binaries/linux-c6-x86_64/bin/jail_safe_passwd.bz2
    bzip2 -d jail_safe_passwd.bz2
    md5sum jail_safe_passwd
    Note the download URL will change depending on your version number, system architecture, and OS.

    Thank you.
     
  13. spyke01

    spyke01 Member

    Joined:
    Sep 24, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    What OS is installed on your server?

    Thank you.
     
  15. spyke01

    spyke01 Member

    Joined:
    Sep 24, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    CENTOS 5.11 i686 standard the specifics from uname are:

     
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You are using the wrong URL if CentOS 5 is installed on your system. The correct URL is:

    Code:
    http://httpupdate.cpanel.net/cpanelsync/11.50.1.1/binaries/linux-c5-i386/bin/jail_safe_passwd.bz2
    Thank you.
     
  17. spyke01

    spyke01 Member

    Joined:
    Sep 24, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Awesome thanks, looks like it was a false positive.
     
  18. UHLHosting

    UHLHosting Well-Known Member

    Joined:
    Sep 26, 2014
    Messages:
    53
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Bratislava
    cPanel Access Level:
    Root Administrator
    Twitter:
    root@panel [~/chkrootkit-0.50]# md5sum /bin/passwd
    792964343f6f916d8025bf9b1eb1e839 /bin/passwd
    root@panel [~/chkrootkit-0.50]# md5sum /usr/local/cpanel/bin/jail_safe_passwd
    f3b065b4354be16b83ecdef71da622b8 /usr/local/cpanel/bin/jail_safe_passwd
    root@panel [~/chkrootkit-0.50]#
     
  19. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you elaborate on the context of this post? For instance, what issue are you attempting to address, or what particular information are you attempting to verify?

    Thank you.
     
  20. UHLHosting

    UHLHosting Well-Known Member

    Joined:
    Sep 26, 2014
    Messages:
    53
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Bratislava
    cPanel Access Level:
    Root Administrator
    Twitter:
    If my passwd is infected, so as chkrootkit say it is.
     
Loading...
Similar Threads - Passwd Infected Chkrootkit
  1. remcie
    Replies:
    4
    Views:
    561
  2. Rhuan
    Replies:
    2
    Views:
    556

Share This Page