Passwd Infected Chkrootkit

[[email protected]]

After last update I have the following problem on my server.
WHM 11.98.0.11

Checking `passwd'... INFECTED

Today after yesterday update from 11.98.0.10 to 11.98.0.11

Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... INFECTED
Checking `pidof'... not infected

Before update

Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected

This has come up after the last update.

Is this a false positive?

Also I try to check md5sum comparison like this:

mkdir /root/testing
cd /root/testing
wget http://httpupdate.cpanel.net/cpanelsync/11.98.0.11/binaries/linux-c7-x86_64/bin/jail_safe_passwd.xz
unxz jail_safe_passwd.xz
md5sum jail_safe_passwd
md5sum /usr/local/cpanel/bin/jail_safe_passwd

The md5sum from jail_safe_passwd.xz and from /usr/local/cpanel/bin/jail_safe_passwd MATCHES.

But the md5sum from /bin/passwd and /usr/local/cpanel/bin/jail_safe_passwd are not the same (but before the update if I recall well there aren't the same and I don't have any INFECTED message).

Thanks in advance.

 

[HostNoc]

an you run the following commands and let us know the output?
sha256sum /bin/passwd
sha256sum /usr/bin/passwd

Regards
HostNoc

 

[[email protected]]

Thank you @HostNoc

 

[cPanelAnthony]

The passwd INFECTED warning you see from chkrootkit is a common false-positive on cPanel servers. This is because cPanel has modified that binary so it can be used with JailShell. I would suggest opening a support ticket using the link in my signature (or asking your provider to open one for you) so we can investigate for any potential issues. Provide me with the ID once open if you can.

 

[[email protected]]

Hello @cPanelAnthony

Is possible to make a test server with the latest enviroment of centos 7, x86_64 and WHM 11.98.0.11 and compare the MD5 and SHA256 checksums as this old thread from @cPanelMichael here: SOLVED - Passwd Infected Chkrootkit

Thank you.

 

[cPanelAnthony]

Hello @cPanelAnthony

Is possible to make a test server with the latest enviroment of centos 7, x86_64 and WHM 11.98.0.11 and compare the MD5 and SHA256 checksums as this old thread from @cPanelMichael here: SOLVED - Passwd Infected Chkrootkit

Thank you.

I will double check this and get back to you soon!

 

[cPanelAnthony]

Hello again! It looks like this should be possible. However, it might be best if you open a ticket so we can review the issue briefly. Are you able to do so using the link in my signature?