SOLVED Passwd Infected Chkrootkit

[aloshi2019]

Hi,

chkrootkit-0.52
Completed update 11.76.0.17 -> 11.76.0.18
OS CloudLinux 7.6 (Vladimir Lyakhov)

Checking `passwd'... INFECTED

How can I confirm if this is false positive? I know it is already explained here Passwd Infected Chkrootkit but what URL do I need to use to download the jail_safe_passwd.bz2 file from cPanel?

Please advise.

Thank you

 

[aloshi2019]

I ran the following commands

md5sum /bin/passwd
mkdir /root/testing
cd /root/testing
wget [URL]http://httpupdate.cpanel.net/cpanelsync/11.76.0.18/binaries/linux-c7-x86_64/bin/jail_safe_passwd.xz[/URL]
md5sum /root/testing/jail_safe_passwd
md5sum /usr/local/cpanel/bin/jail_safe_passwd

- The md5sum does not match with (md5sum /bin/passwd & md5sum /root/testing/jail_safe_passwd )

- The md5sum match with ( md5sum /usr/local/cpanel/bin/jail_safe_passwd & md5sum /root/testing/jail_safe_passwd )

Does this mean passwd is infected?

 

[cPanelMichael]

- The md5sum does not match with (md5sum /bin/passwd & md5sum /root/testing/jail_safe_passwd )

Hello @aloshi2019,

Can you run the following commands and let us know the output?

sha256sum /bin/passwd
sha256sum /usr/bin/passwd

I can compare the output for this file on a test system and verify if the results match.

Thank you.

 

[sparek-3]

If I'm not mistaken, cPanel has to modify the passwd binary due to the way jailshell works and in conjunction with how password changes are made by users.

I would not be too terribly alarmed by this, especially since a cPanel update was just recently published - did you recently update cPanel?

Still... it's never a bad idea to scrutinize these changes and verify that everything is in order. But I would not be terribly alarmed by this - especially if you just recently updated cPanel or had it automatically updated. (This is also a good reason why it's a good idea to stay on top of when cPanel is pushing out updates)

 

[aloshi2019]

Hello @aloshi2019,

Can you run the following commands and let us know the output?

sha256sum /bin/passwd
sha256sum /usr/bin/passwd

I can compare the output for this file on a test system and verify if the results match.

Thank you.

Hello cPanelMichael

Thank you for your response.

As requested listed below is the output.

[[email protected] ~]# sha256sum /bin/passwd
a92b1b6fb52549ed23b12b32356c6a424d77bcf21bfcfbd32d48e12615785270 /bin/passwd
[[email protected] ~]# sha256sum /usr/bin/passwd
a92b1b6fb52549ed23b12b32356c6a424d77bcf21bfcfbd32d48e12615785270 /usr/bin/passwd

I'm looking forward to hear back from you soon.

Thank you for your help.

 

[cPanelMichael]

Hello @aloshi2019,

I can confirm those hashes match the hashes on my test system running CentOS 7.6:

# sha256sum /bin/passwd
a92b1b6fb52549ed23b12b32356c6a424d77bcf21bfcfbd32d48e12615785270  /bin/passwd
# sha256sum /usr/bin/passwd
a92b1b6fb52549ed23b12b32356c6a424d77bcf21bfcfbd32d48e12615785270  /usr/bin/passwd

Thus, this looks to be a false positive.

Thank you.

 

[LoraineB]

Hi, following a chkrootkit scan of my servers, it flagged the /bin/passwd file as infected. I've followed the instructions from other threads on the same subject and get these results.

792964343f6f916d8025bf9b1eb1e839 /bin/passwd

5141bbb73ac4cc6b7e82c4034947b3d1 jail_safe_passwd
5141bbb73ac4cc6b7e82c4034947b3d1 /usr/local/cpanel/bin/jail_safe_passwd

Server is centos 7, x86 64, cpanel build is 11.78.0.24

Chkrootkit says the /bin/passwd is infected, the md5sum doesn't match the jail_safe_passwd but as I understand it in Centos 7, they are different files rather than a symlink?

Can you please check the md5sum for the /bin/passwd file against one of your test machines?
I don't seem to be able to download a new version of that file to check, just the jail_safe_passwd file, is that correct or am I missing something. Thanks.

/etc/redhat-release:CentOS Linux release 7.6.1810 (Core)
grep: /usr/local/cpanel/version/: Not a directory
/var/cpanel/envtype:standard
CPANEL=release

The other server is Centos 6, but I think I can work through that using information from previous threads so I won't include that here.

Thanks so much for your help

 

[cPanelMichael]

Hello @LoraineB,

I checked a test server with the following environment:

# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)

# rpm -qa|grep passwd
passwd-0.79-4.el7.x86_64

Here are the MD5 and SHA256 checksums on this system you can use to compare with:

# md5sum /bin/passwd
792964343f6f916d8025bf9b1eb1e839  /bin/passwd

# sha256sum /bin/passwd
a92b1b6fb52549ed23b12b32356c6a424d77bcf21bfcfbd32d48e12615785270  /bin/passwd

Thank you.

 

[jazee]

I've had several servers from multiple years and these MD5 checksums, while great in theory, have created a "Boy Who Cries Wolf" situation as they have been 100% due to system updates and so I just ignore and delete them. The system admin work described in this thread to go verify if they are system updates or not is not a practical solution due to the frequency of these especially with multiple servers. So in reality, while a nice idea in theory, these checksum messages are practically useless. So unless there's a way to make them 'smarter' by seeing if they occur right after an update and then not sending them, I'd like to just turn them off. How?

 

[cPanelMichael]

Hello @jazee,

You may want to consider using an alternative such as Immunify360:

Additional Security Software - cPanel Knowledge Base - cPanel Documentation

Or, if you prefer to use RKHunter, read over their README to determine how to enable or disable specific notification types:

Rootkit Hunter / Code / [016a77] /files/README

Note the following regarding RKHunter:

• cPanel, L.L.C does not provide RootKit Hunter (rkhunter).
• The Rootkit Hunter project team has not updated rkhunter in over one year.

Thank you.