Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Resolving Issues Found With Rootkit Hunter

Discussion in 'Security' started by denverdataman, Jan 22, 2018.

  1. denverdataman

    denverdataman Member

    Joined:
    Jun 21, 2016
    Messages:
    14
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Denver
    cPanel Access Level:
    Root Administrator
    Hi,

    I am trying to figure out what the best next step is for a server that I think is clean but I need to validate this assumption and there are some outstanding questions from Rootkit Hunter.

    There were many warnings for files so I checked the MD5 value against another cPaenl install with the same version of CentOS. Everything checked out except for a few files.

    For example /bin/passwd and /usr/local/cpanel/bin/jail_safe_passwd.

    I used YUM to validate the file as well and it looks good.

    What is a reasonable next step?

    It is important to note that one site on the server was compromised via a files directory. There was compressed PHP code added that messed up search engine listings but I do not think they would have been able to alter the OS. No rootkits were found.

    Thanks,
    Steve
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,455
    Likes Received:
    1,608
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Can you verify if the same version of cPanel is installed on each system? What are the specific checksums values and OS/cPanel versions you are concerned about?

    Thank you.
     
  3. denverdataman

    denverdataman Member

    Joined:
    Jun 21, 2016
    Messages:
    14
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Denver
    cPanel Access Level:
    Root Administrator
    Thank you for writing back. I did verify that the versions of cPanel and the OS are the same.

    The OS is centos-release-6-9.el6.12.3.x86_64 and cPanel is version 66.0 (build 34).

    Here is what I am seeing:
    Code:
    root@mpa.example.com [bin]# yum provides /bin/passwd
    Loaded plugins: fastestmirror, security, universal-hooks
    Loading mirror speeds from cached hostfile
    * EA4: 70.87.220.252
    * cpanel-addons-production-feed: 70.87.220.252
    * extras: mirror.tzulo.com
    No Matches found
    root@mpa.example.com [bin]# md5sum passwd
    4d05aefc3966f4f413d1da3874d2df43 passwd
    
    and
    Code:
    root@mpa.example.com [bin]# md5sum /usr/local/cpanel/bin/jail_safe_passwd
    4d05aefc3966f4f413d1da3874d2df43 /usr/local/cpanel/bin/jail_safe_passwd
    root@mpa.example.com [bin]# yum provides /usr/local/cpanel/bin/jail_safe_passwd
    Loaded plugins: fastestmirror, security, universal-hooks
    Loading mirror speeds from cached hostfile
    * EA4: 70.87.220.252
    * cpanel-addons-production-feed: 70.87.220.252
    * extras: mirror.tzulo.com
    No Matches found
    root@mpa.example.com [bin]#
    
    I was wrong about Yum. Please advise.

    Thanks,
    Steve
     
    #3 denverdataman, Jan 22, 2018
    Last edited by a moderator: Jan 22, 2018
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,455
    Likes Received:
    1,608
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello Steve,

    I was able to confirm the md5sum for your /usr/local/cpanel/bin/jail_safe_passwd file (/bin/passwd is just a link to this file) matches the md5sum when downloading the file directly from our mirrors at:

    http://httpupdate.cpanel.net/cpanelsync/11.66.0.35/binaries/linux-c6-x86_64/bin/jail_safe_passwd.xz

    Code:
    # md5sum jail_safe_passwd
    4d05aefc3966f4f413d1da3874d2df43  jail_safe_passwd
    However, do note that cPanel version 66 is end-of-life, so you should update to a supported cPanel version at your earliest convenience:

    cPanel & WHM Version 66 Now EOL | cPanel Newsroom

    Thank you.
     
Loading...

Share This Page