The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Since 56.0.13, passwd hashes do not match

Discussion in 'cPanel Developers' started by gn0s1s, May 22, 2016.

  1. gn0s1s

    gn0s1s Member

    Joined:
    Mar 2, 2016
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Cambodia
    cPanel Access Level:
    Root Administrator
    Because Chkrootkit pretty much always flags the /usr/bin/passwd file as being infected, I have written a script that implements the solution found on this site: crybit.com/passwd-infected-chkrootkit/. The script basically detects my current cPanel version and downloads a fresh version of the jail_safe_passwd.xz file from the cPanel repository. It then compares the hash for this file to my local /usr/bin/passwd hash, and lets me know whether they match.

    All was fine up to 11.56.0.9, but on May 05 after the update to 11.56.0.13, the hashes no longer match. This has continued to be the case all the way up to the latest 11.56.0.18 update:

    May 04 (HASHES MATCH)
    cPanel version: 11.56.0.9
    Local md5sum: f8f9bbb9f1d7b546b0b54f1be42210e9
    Fresh md5sum: f8f9bbb9f1d7b546b0b54f1be42210e9

    May 05
    cPanel version: 11.56.0.13
    Local md5sum: 792964343f6f916d8025bf9b1eb1e839
    Fresh md5sum: 7b816cf48ff37d1e2a8c69a9a5b0a776

    May 07
    cPanel version: 11.56.0.14
    Local md5sum: 792964343f6f916d8025bf9b1eb1e839
    Fresh md5sum: 7b816cf48ff37d1e2a8c69a9a5b0a776

    May 17
    cPanel version: 11.56.0.16
    Local md5sum: 792964343f6f916d8025bf9b1eb1e839
    Fresh md5sum: 5a435d5cb6175c5fd9a3135d988e47fb

    May 18
    cPanel version: 11.56.0.17
    Local md5sum: 792964343f6f916d8025bf9b1eb1e839
    Fresh md5sum: 5a435d5cb6175c5fd9a3135d988e47fb

    May 20
    cPanel version: 11.56.0.18
    Local md5sum: 792964343f6f916d8025bf9b1eb1e839
    Fresh md5sum: 81ccb41e7ee6f41f0b63fa08e779f929

    As you can see, the mismatch started with 11.56.0.13 and though the repository's file continues to change, the local passwd file is still the same. On the same date, May 05, RootkitHunter reported the following:

    Code:
    Warning: The file properties have changed:
            File: /usr/bin/passwd
            Current hash: 393d9501a912121cc09928ae69bfe34b9bfbb690
            Stored hash : 999060eabb2a4e0c4d55d4fee7f45d7c247515a0
            Current permissions: 4755    Stored permissions: 0777
            Current inode: 53236435    Stored inode: 53236521
            Current size: 27832    Stored size: 38
            Current file modification time: 1402381676 (10-Jun-2014 02:27:56)
            Stored file modification time : 1455918788 (19-Feb-2016 16:53:08)
    Warning: The file '/usr/local/bin/passwd' exists on the system, but it is not present in the 'rkhunter.dat' file.
    If I do an md5sum on /usr/local/bin/passwd, it matches the hash from the 11.56.0.18 file on the repository.

    So I have a couple of questions here:
    1. Why the permissions change on /usr/bin/passwd? And why not keep it updated to the jail_safe_passwd in the system?
    2. Why the addition of /usr/local/bin/passwd with 11.56.0.13, and why is that the passwd file being kept up to date now?
    I understand I can simply update my script to check the md5sum of the /usr/local/bin/passwd file and compare it to the repository. But I'd like some more info about this since several of my security scripts are complaining about it.
     
    #1 gn0s1s, May 22, 2016
    Last edited by a moderator: May 23, 2016
  2. gn0s1s

    gn0s1s Member

    Joined:
    Mar 2, 2016
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Cambodia
    cPanel Access Level:
    Root Administrator
    Any chance this might get looked at, cPanel Staff? :)
     
  3. gn0s1s

    gn0s1s Member

    Joined:
    Mar 2, 2016
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Cambodia
    cPanel Access Level:
    Root Administrator
    May 26
    cPanel version: 11.56.0.21
    Local md5sum: 792964343f6f916d8025bf9b1eb1e839
    Fresh md5sum: 81ccb41e7ee6f41f0b63fa08e779f929
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Sure thing, feel free to open a ticket directly to cPanel Technical Support! :)
     
  5. gn0s1s

    gn0s1s Member

    Joined:
    Mar 2, 2016
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Cambodia
    cPanel Access Level:
    Root Administrator
    If I did that it would be assuming that there was something wrong with cPanel rather than something wrong locally. That's part of the answer I was expecting here, in this forum, before stepping it up to Technical Support. But ok, if that's the only reply I'll get here, then I'll go there. o_O
     
  6. gn0s1s

    gn0s1s Member

    Joined:
    Mar 2, 2016
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Cambodia
    cPanel Access Level:
    Root Administrator
    Ok, after a bit more investigation and some help from my host, we've been able to determine that since cPanel version 11.56.0.13, the /usr/bin/passwd file is now equivalent to the file in the main CentOS repository. You can verify this by running "yum whatprovides /usr/bin/passwd":

    Code:
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    * base: mirrors.sonic.net
    * extras: mirror.hmc.edu
    * updates: lug.mtu.edu
    passwd-0.79-4.el7.x86_64 : An utility for setting or changing passwords using PAM
    Repo : base
    Matched from:
    Filename : /usr/bin/passwd
    
    passwd-0.79-4.el7.x86_64 : An utility for setting or changing passwords using PAM
    Repo : installed
    Matched from:
    Filename : /usr/bin/passwd
    The /usr/bin/local/passwd file is now the one being kept in sync with the cPanel repo's jail_safe_passwd.xz file. I've adjusted my script so that it checks those md5sums against each other. Since I also want to be able to keep an eye on /usr/bin/passwd to make sure it isn't changed, I've incorporated the "rpm -V passwd" command into my script, as well. This will flag any discrepancies in between the local passwd file and the repository it comes from. Now the script outputs the following:

    Code:
    CentOS version: 7
    cPanel version: 11.56.0.21
    
    --------------------
    PASSWD FILE MD5 HASH
    --------------------
    Downloading http://httpupdate.cpanel.net/cpanelsync/11.56.0.21/binaries/linux-c7-x86_64/bin/jail_safe_passwd.xz...
    
    Local md5sum: 81ccb41e7ee6f41f0b63fa08e779f929 [/usr/local/bin/passwd]
    Fresh md5sum: 81ccb41e7ee6f41f0b63fa08e779f929 [jail_safe_passwd.xz]
    
    ==> HASHES MATCH
    
    Removing downloaded file...
    
    -------------------
    YUM WARNINGS      
    -------------------
    .......T.  c /etc/pam.d/passwd
    
    -------------------
    CHKROOTKIT WARNINGS
    -------------------
    Hopefully this will help anyone else who actively checks their passwd files against tampering and who is puzzled by this change.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page