Because Chkrootkit pretty much always flags the /usr/bin/passwd file as being infected, I have written a script that implements the solution found on this site: crybit.com/passwd-infected-chkrootkit/. The script basically detects my current cPanel version and downloads a fresh version of the jail_safe_passwd.xz file from the cPanel repository. It then compares the hash for this file to my local /usr/bin/passwd hash, and lets me know whether they match. All was fine up to 184.108.40.206, but on May 05 after the update to 220.127.116.11, the hashes no longer match. This has continued to be the case all the way up to the latest 18.104.22.168 update: May 04 (HASHES MATCH) cPanel version: 22.214.171.124 Local md5sum: f8f9bbb9f1d7b546b0b54f1be42210e9 Fresh md5sum: f8f9bbb9f1d7b546b0b54f1be42210e9 May 05 cPanel version: 126.96.36.199 Local md5sum: 792964343f6f916d8025bf9b1eb1e839 Fresh md5sum: 7b816cf48ff37d1e2a8c69a9a5b0a776 May 07 cPanel version: 188.8.131.52 Local md5sum: 792964343f6f916d8025bf9b1eb1e839 Fresh md5sum: 7b816cf48ff37d1e2a8c69a9a5b0a776 May 17 cPanel version: 184.108.40.206 Local md5sum: 792964343f6f916d8025bf9b1eb1e839 Fresh md5sum: 5a435d5cb6175c5fd9a3135d988e47fb May 18 cPanel version: 220.127.116.11 Local md5sum: 792964343f6f916d8025bf9b1eb1e839 Fresh md5sum: 5a435d5cb6175c5fd9a3135d988e47fb May 20 cPanel version: 18.104.22.168 Local md5sum: 792964343f6f916d8025bf9b1eb1e839 Fresh md5sum: 81ccb41e7ee6f41f0b63fa08e779f929 As you can see, the mismatch started with 22.214.171.124 and though the repository's file continues to change, the local passwd file is still the same. On the same date, May 05, RootkitHunter reported the following: Code: Warning: The file properties have changed: File: /usr/bin/passwd Current hash: 393d9501a912121cc09928ae69bfe34b9bfbb690 Stored hash : 999060eabb2a4e0c4d55d4fee7f45d7c247515a0 Current permissions: 4755 Stored permissions: 0777 Current inode: 53236435 Stored inode: 53236521 Current size: 27832 Stored size: 38 Current file modification time: 1402381676 (10-Jun-2014 02:27:56) Stored file modification time : 1455918788 (19-Feb-2016 16:53:08) Warning: The file '/usr/local/bin/passwd' exists on the system, but it is not present in the 'rkhunter.dat' file. If I do an md5sum on /usr/local/bin/passwd, it matches the hash from the 126.96.36.199 file on the repository. So I have a couple of questions here: Why the permissions change on /usr/bin/passwd? And why not keep it updated to the jail_safe_passwd in the system? Why the addition of /usr/local/bin/passwd with 188.8.131.52, and why is that the passwd file being kept up to date now? I understand I can simply update my script to check the md5sum of the /usr/local/bin/passwd file and compare it to the repository. But I'd like some more info about this since several of my security scripts are complaining about it.