[email protected]

Well-Known Member
Aug 3, 2016
67
5
58
Everywhere
cPanel Access Level
Root Administrator
After last update I have the following problem on my server.
WHM 11.98.0.11

Checking `passwd'... INFECTED

Today after yesterday update from 11.98.0.10 to 11.98.0.11
Code:
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... INFECTED
Checking `pidof'... not infected
Before update
Code:
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
This has come up after the last update.

Is this a false positive?

Also I try to check md5sum comparison like this:

Code:
mkdir /root/testing
cd /root/testing
wget http://httpupdate.cpanel.net/cpanelsync/11.98.0.11/binaries/linux-c7-x86_64/bin/jail_safe_passwd.xz
unxz jail_safe_passwd.xz
md5sum jail_safe_passwd
md5sum /usr/local/cpanel/bin/jail_safe_passwd
The md5sum from jail_safe_passwd.xz and from /usr/local/cpanel/bin/jail_safe_passwd MATCHES.

But the md5sum from /bin/passwd and /usr/local/cpanel/bin/jail_safe_passwd are not the same (but before the update if I recall well there aren't the same and I don't have any INFECTED message).

Thanks in advance.
 

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
1,045
112
118
Houston, TX
cPanel Access Level
Root Administrator
The passwd INFECTED warning you see from chkrootkit is a common false-positive on cPanel servers. This is because cPanel has modified that binary so it can be used with JailShell. I would suggest opening a support ticket using the link in my signature (or asking your provider to open one for you) so we can investigate for any potential issues. Provide me with the ID once open if you can.
 

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
1,045
112
118
Houston, TX
cPanel Access Level
Root Administrator