Resolving Issues Found With Rootkit Hunter

denverdataman

Active Member
Jun 21, 2016
33
2
8
Denver
cPanel Access Level
Root Administrator
Hi,

I am trying to figure out what the best next step is for a server that I think is clean but I need to validate this assumption and there are some outstanding questions from Rootkit Hunter.

There were many warnings for files so I checked the MD5 value against another cPaenl install with the same version of CentOS. Everything checked out except for a few files.

For example /bin/passwd and /usr/local/cpanel/bin/jail_safe_passwd.

I used YUM to validate the file as well and it looks good.

What is a reasonable next step?

It is important to note that one site on the server was compromised via a files directory. There was compressed PHP code added that messed up search engine listings but I do not think they would have been able to alter the OS. No rootkits were found.

Thanks,
Steve
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
There were many warnings for files so I checked the MD5 value against another cPaenl install with the same version of CentOS. Everything checked out except for a few files.

For example /bin/passwd and /usr/local/cpanel/bin/jail_safe_passwd.
Hello,

Can you verify if the same version of cPanel is installed on each system? What are the specific checksums values and OS/cPanel versions you are concerned about?

Thank you.
 

denverdataman

Active Member
Jun 21, 2016
33
2
8
Denver
cPanel Access Level
Root Administrator
Thank you for writing back. I did verify that the versions of cPanel and the OS are the same.

The OS is centos-release-6-9.el6.12.3.x86_64 and cPanel is version 66.0 (build 34).

Here is what I am seeing:
Code:
[email protected] [bin]# yum provides /bin/passwd
Loaded plugins: fastestmirror, security, universal-hooks
Loading mirror speeds from cached hostfile
* EA4: 70.87.220.252
* cpanel-addons-production-feed: 70.87.220.252
* extras: mirror.tzulo.com
No Matches found
[email protected] [bin]# md5sum passwd
4d05aefc3966f4f413d1da3874d2df43 passwd
and
Code:
[email protected] [bin]# md5sum /usr/local/cpanel/bin/jail_safe_passwd
4d05aefc3966f4f413d1da3874d2df43 /usr/local/cpanel/bin/jail_safe_passwd
[email protected] [bin]# yum provides /usr/local/cpanel/bin/jail_safe_passwd
Loaded plugins: fastestmirror, security, universal-hooks
Loading mirror speeds from cached hostfile
* EA4: 70.87.220.252
* cpanel-addons-production-feed: 70.87.220.252
* extras: mirror.tzulo.com
No Matches found
[email protected] [bin]#
I was wrong about Yum. Please advise.

Thanks,
Steve
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello Steve,

I was able to confirm the md5sum for your /usr/local/cpanel/bin/jail_safe_passwd file (/bin/passwd is just a link to this file) matches the md5sum when downloading the file directly from our mirrors at:

http://httpupdate.cpanel.net/cpanelsync/11.66.0.35/binaries/linux-c6-x86_64/bin/jail_safe_passwd.xz

Code:
# md5sum jail_safe_passwd
4d05aefc3966f4f413d1da3874d2df43  jail_safe_passwd
However, do note that cPanel version 66 is end-of-life, so you should update to a supported cPanel version at your earliest convenience:

cPanel & WHM Version 66 Now EOL | cPanel Newsroom

Thank you.