/usr/local/cpanel/bin/jail_safe_passwd

prazgod

Member
Oct 19, 2004
6
0
151
Is this a legitimate new file /usr/local/cpanel/bin/jail_safe_passwd on November 6th WHM 11.40.0 (build 16)

as its flagged by OSSEC (Security software) as bad:

OSSEC HIDS Notification.
2013 Nov 06 01:16:14

Received From: web2->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/bin/passwd' detected. Signature used: 'bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]' (Generic).

- - - Updated - - -

md5 b3fc5614e306b702305c04fe0a523fb5 /usr/local/cpanel/bin/jail_safe_passwd
sha1 83607040e4db499abe3564eaa28f3b2a258bb145 /usr/local/cpanel/bin/jail_safe_passwd

- - - Updated - - -

/bin/passwd is a symlink of /usr/local/cpanel/bin/jail_safe_passwd
 

MikeDVB

Well-Known Member
PartnerNOC
Jun 4, 2008
218
3
68
Indiana, USA
I ran a fresh 11.40 install and I see the same file.
b3fc5614e306b702305c04fe0a523fb5 /usr/local/cpanel/bin/jail_safe_passwd

Probably a false positive.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

Yes, this is a valid file and the MD5 hash you provided is legitimate. This was implemented as a more secure method of password modification.

Thank you.