Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Passwd Infected Chkrootkit

Discussion in 'Security' started by aloshi2019, Feb 11, 2019.

  1. aloshi2019

    aloshi2019 Registered

    Joined:
    Jan 24, 2019
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Reseller Owner
    Hi,

    chkrootkit-0.52
    Completed update 11.76.0.17 -> 11.76.0.18
    OS CloudLinux 7.6 (Vladimir Lyakhov)

    How can I confirm if this is false positive? I know it is already explained here Passwd Infected Chkrootkit but what URL do I need to use to download the jail_safe_passwd.bz2 file from cPanel?

    Please advise.

    Thank you
     
    #1 aloshi2019, Feb 11, 2019
  2. aloshi2019

    aloshi2019 Registered

    Joined:
    Jan 24, 2019
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Reseller Owner
    I ran the following commands

    Code:
    md5sum /bin/passwd
mkdir /root/testing
cd /root/testing
wget [URL]http://httpupdate.cpanel.net/cpanelsync/11.76.0.18/binaries/linux-c7-x86_64/bin/jail_safe_passwd.xz[/URL]
md5sum /root/testing/jail_safe_passwd
md5sum /usr/local/cpanel/bin/jail_safe_passwd
    - The md5sum does not match with (md5sum /bin/passwd & md5sum /root/testing/jail_safe_passwd )

    - The md5sum match with ( md5sum /usr/local/cpanel/bin/jail_safe_passwd & md5sum /root/testing/jail_safe_passwd )

    Does this mean passwd is infected?
     
    #2 aloshi2019, Feb 12, 2019
    Last edited by a moderator: Feb 12, 2019
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @aloshi2019,

    Can you run the following commands and let us know the output?

    Code:
    sha256sum /bin/passwd
sha256sum /usr/bin/passwd
    I can compare the output for this file on a test system and verify if the results match.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 cPanelMichael, Feb 14, 2019
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,893
    Likes Received:
    152
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    If I'm not mistaken, cPanel has to modify the passwd binary due to the way jailshell works and in conjunction with how password changes are made by users.

    I would not be too terribly alarmed by this, especially since a cPanel update was just recently published - did you recently update cPanel?

    Still... it's never a bad idea to scrutinize these changes and verify that everything is in order. But I would not be terribly alarmed by this - especially if you just recently updated cPanel or had it automatically updated. (This is also a good reason why it's a good idea to stay on top of when cPanel is pushing out updates)
     
    #4 sparek-3, Feb 14, 2019
  5. aloshi2019

    aloshi2019 Registered

    Joined:
    Jan 24, 2019
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Reseller Owner
    Hello cPanelMichael

    Thank you for your response.

    As requested listed below is the output.

    I'm looking forward to hear back from you soon.

    Thank you for your help.
     
    #5 aloshi2019, Feb 14, 2019
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @aloshi2019,

    I can confirm those hashes match the hashes on my test system running CentOS 7.6:

    Code:
    # sha256sum /bin/passwd
a92b1b6fb52549ed23b12b32356c6a424d77bcf21bfcfbd32d48e12615785270  /bin/passwd
# sha256sum /usr/bin/passwd
a92b1b6fb52549ed23b12b32356c6a424d77bcf21bfcfbd32d48e12615785270  /usr/bin/passwd
    Thus, this looks to be a false positive.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 cPanelMichael, Feb 15, 2019
(You must log in or sign up to post here.)
Loading...
Similar Threads - Passwd Infected Chkrootkit
  1. kamranonline

    /usr/local/cpanel/bin/jail_safe_passwd Segmentation fault

    kamranonline, Jul 23, 2018, in forum: Security
    Replies:
    1
    Views:
    257
    cPanelMichael
    Jul 24, 2018
  2. PeteS

    Checking passwd md5

    PeteS, Dec 30, 2017, in forum: Security
    Replies:
    4
    Views:
    578
    PeteS
    Jan 3, 2018
  3. Henry Aspden

    What is /tmp/passwd-reset.sh ?

    Henry Aspden, Dec 15, 2017, in forum: Security
    Replies:
    5
    Views:
    527
    quizknows
    Dec 15, 2017
  4. weeming21

    SOLVED api token passwd problem

    weeming21, Dec 7, 2017, in forum: cPanel Developers
    Replies:
    5
    Views:
    517
    cPanelMichael
    Dec 8, 2017
  5. gramzon

    All e-mail accounts have the same UID in passwd file

    gramzon, Dec 4, 2017, in forum: E-mail Discussion
    Replies:
    2
    Views:
    392
    cPanelMichael
    Dec 4, 2017

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice