Resolving Issues Found With Rootkit Hunter

[denverdataman]

Hi,

I am trying to figure out what the best next step is for a server that I think is clean but I need to validate this assumption and there are some outstanding questions from Rootkit Hunter.

There were many warnings for files so I checked the MD5 value against another cPaenl install with the same version of CentOS. Everything checked out except for a few files.

For example /bin/passwd and /usr/local/cpanel/bin/jail_safe_passwd.

I used YUM to validate the file as well and it looks good.

What is a reasonable next step?

It is important to note that one site on the server was compromised via a files directory. There was compressed PHP code added that messed up search engine listings but I do not think they would have been able to alter the OS. No rootkits were found.

Thanks,
Steve

 

[cPanelMichael]

There were many warnings for files so I checked the MD5 value against another cPaenl install with the same version of CentOS. Everything checked out except for a few files.

For example /bin/passwd and /usr/local/cpanel/bin/jail_safe_passwd.

Hello,

Can you verify if the same version of cPanel is installed on each system? What are the specific checksums values and OS/cPanel versions you are concerned about?

Thank you.

 

[denverdataman]

Thank you for writing back. I did verify that the versions of cPanel and the OS are the same.

The OS is centos-release-6-9.el6.12.3.x86_64 and cPanel is version 66.0 (build 34).

Here is what I am seeing:

[email protected] [bin]# yum provides /bin/passwd
Loaded plugins: fastestmirror, security, universal-hooks
Loading mirror speeds from cached hostfile
* EA4: 70.87.220.252
* cpanel-addons-production-feed: 70.87.220.252
* extras: mirror.tzulo.com
No Matches found
[email protected] [bin]# md5sum passwd
4d05aefc3966f4f413d1da3874d2df43 passwd

and

r[email protected] [bin]# md5sum /usr/local/cpanel/bin/jail_safe_passwd
4d05aefc3966f4f413d1da3874d2df43 /usr/local/cpanel/bin/jail_safe_passwd
[email protected] [bin]# yum provides /usr/local/cpanel/bin/jail_safe_passwd
Loaded plugins: fastestmirror, security, universal-hooks
Loading mirror speeds from cached hostfile
* EA4: 70.87.220.252
* cpanel-addons-production-feed: 70.87.220.252
* extras: mirror.tzulo.com
No Matches found
[email protected] [bin]#

I was wrong about Yum. Please advise.

Thanks,
Steve

 

[cPanelMichael]

Hello Steve,

I was able to confirm the md5sum for your /usr/local/cpanel/bin/jail_safe_passwd file (/bin/passwd is just a link to this file) matches the md5sum when downloading the file directly from our mirrors at:

http://httpupdate.cpanel.net/cpanelsync/11.66.0.35/binaries/linux-c6-x86_64/bin/jail_safe_passwd.xz

# md5sum jail_safe_passwd
4d05aefc3966f4f413d1da3874d2df43  jail_safe_passwd

However, do note that cPanel version 66 is end-of-life, so you should update to a supported cPanel version at your earliest convenience:

cPanel & WHM Version 66 Now EOL | cPanel Newsroom

Thank you.