SOLVED Passwd Infected Chkrootkit

aloshi2019

Member
Jan 24, 2019
5
0
1
Australia
cPanel Access Level
Reseller Owner
I ran the following commands

Code:
md5sum /bin/passwd
mkdir /root/testing
cd /root/testing
wget [URL]http://httpupdate.cpanel.net/cpanelsync/11.76.0.18/binaries/linux-c7-x86_64/bin/jail_safe_passwd.xz[/URL]
md5sum /root/testing/jail_safe_passwd
md5sum /usr/local/cpanel/bin/jail_safe_passwd
- The md5sum does not match with (md5sum /bin/passwd & md5sum /root/testing/jail_safe_passwd )

- The md5sum match with ( md5sum /usr/local/cpanel/bin/jail_safe_passwd & md5sum /root/testing/jail_safe_passwd )

Does this mean passwd is infected?
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
- The md5sum does not match with (md5sum /bin/passwd & md5sum /root/testing/jail_safe_passwd )
Hello @aloshi2019,

Can you run the following commands and let us know the output?

Code:
sha256sum /bin/passwd
sha256sum /usr/bin/passwd
I can compare the output for this file on a test system and verify if the results match.

Thank you.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,988
220
343
cPanel Access Level
Root Administrator
If I'm not mistaken, cPanel has to modify the passwd binary due to the way jailshell works and in conjunction with how password changes are made by users.

I would not be too terribly alarmed by this, especially since a cPanel update was just recently published - did you recently update cPanel?

Still... it's never a bad idea to scrutinize these changes and verify that everything is in order. But I would not be terribly alarmed by this - especially if you just recently updated cPanel or had it automatically updated. (This is also a good reason why it's a good idea to stay on top of when cPanel is pushing out updates)
 

aloshi2019

Member
Jan 24, 2019
5
0
1
Australia
cPanel Access Level
Reseller Owner
Hello @aloshi2019,

Can you run the following commands and let us know the output?

Code:
sha256sum /bin/passwd
sha256sum /usr/bin/passwd
I can compare the output for this file on a test system and verify if the results match.

Thank you.
Hello cPanelMichael

Thank you for your response.

As requested listed below is the output.

[[email protected] ~]# sha256sum /bin/passwd
a92b1b6fb52549ed23b12b32356c6a424d77bcf21bfcfbd32d48e12615785270 /bin/passwd
[[email protected] ~]# sha256sum /usr/bin/passwd
a92b1b6fb52549ed23b12b32356c6a424d77bcf21bfcfbd32d48e12615785270 /usr/bin/passwd
I'm looking forward to hear back from you soon.

Thank you for your help.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello @aloshi2019,

I can confirm those hashes match the hashes on my test system running CentOS 7.6:

Code:
# sha256sum /bin/passwd
a92b1b6fb52549ed23b12b32356c6a424d77bcf21bfcfbd32d48e12615785270  /bin/passwd
# sha256sum /usr/bin/passwd
a92b1b6fb52549ed23b12b32356c6a424d77bcf21bfcfbd32d48e12615785270  /usr/bin/passwd
Thus, this looks to be a false positive.

Thank you.
 

LoraineB

Registered
Nov 5, 2018
1
0
1
United Kingdom
cPanel Access Level
Root Administrator
Hi, following a chkrootkit scan of my servers, it flagged the /bin/passwd file as infected. I've followed the instructions from other threads on the same subject and get these results.

792964343f6f916d8025bf9b1eb1e839 /bin/passwd

5141bbb73ac4cc6b7e82c4034947b3d1 jail_safe_passwd
5141bbb73ac4cc6b7e82c4034947b3d1 /usr/local/cpanel/bin/jail_safe_passwd

Server is centos 7, x86 64, cpanel build is 11.78.0.24

Chkrootkit says the /bin/passwd is infected, the md5sum doesn't match the jail_safe_passwd but as I understand it in Centos 7, they are different files rather than a symlink?

Can you please check the md5sum for the /bin/passwd file against one of your test machines?
I don't seem to be able to download a new version of that file to check, just the jail_safe_passwd file, is that correct or am I missing something. Thanks.

Code:
/etc/redhat-release:CentOS Linux release 7.6.1810 (Core)
grep: /usr/local/cpanel/version/: Not a directory
/var/cpanel/envtype:standard
CPANEL=release
The other server is Centos 6, but I think I can work through that using information from previous threads so I won't include that here.

Thanks so much for your help
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello @LoraineB,

I checked a test server with the following environment:

Code:
# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
Code:
# rpm -qa|grep passwd
passwd-0.79-4.el7.x86_64
Here are the MD5 and SHA256 checksums on this system you can use to compare with:

Code:
# md5sum /bin/passwd
792964343f6f916d8025bf9b1eb1e839  /bin/passwd

# sha256sum /bin/passwd
a92b1b6fb52549ed23b12b32356c6a424d77bcf21bfcfbd32d48e12615785270  /bin/passwd
Thank you.
 

jazee

Well-Known Member
Jan 12, 2015
119
4
68
cPanel Access Level
Root Administrator
I've had several servers from multiple years and these MD5 checksums, while great in theory, have created a "Boy Who Cries Wolf" situation as they have been 100% due to system updates and so I just ignore and delete them. The system admin work described in this thread to go verify if they are system updates or not is not a practical solution due to the frequency of these especially with multiple servers. So in reality, while a nice idea in theory, these checksum messages are practically useless. So unless there's a way to make them 'smarter' by seeing if they occur right after an update and then not sending them, I'd like to just turn them off. How?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello @jazee,

You may want to consider using an alternative such as Immunify360:

Additional Security Software - cPanel Knowledge Base - cPanel Documentation

Or, if you prefer to use RKHunter, read over their README to determine how to enable or disable specific notification types:

Rootkit Hunter / Code / [016a77] /files/README

Note the following regarding RKHunter:

  • cPanel, L.L.C does not provide RootKit Hunter (rkhunter).
  • The Rootkit Hunter project team has not updated rkhunter in over one year.
Thank you.