Checking Passwd infected Chkrootkit

Many of you have experienced this error when you run chkrootkit scan on your cPanel server. Here is a sample output:

root@server [~/chkrootkit]# ./chkrootkit -q | grep -v registry
Checking `passwd'... INFECTED
INFECTED (PORTS:  465)

chkrootkit

In most cases, these are false positives. Well, we should know how to determine if it’s a false positive or not. For that we need to check the md5sum of /bin/passwd which is a symbolic link to /usr/local/cpanel/bin/jail_safe_passwd with that of cPanel provided one.

First, download the cPanel provided jail_safe_passwd to your server:

# wget http://httpupdate.cpanel.net/cpanelsync/11.52.1.3/binaries/linux-c6-x86_64/bin/jail_safe_passwd.xz

Note: Check the cPanel version of your server before downloading the jail_safe_passwd.xz. In my case the cPanel version was 11.52. If you have any other version you can download the corresponding tar file from the following URL: http://httpupdate.cpanel.net/cpanelsync/

Untar the downloaded archive file

# unxz jail_safe_passwd.xz

Check the md5sum

# md5sum jail_safe_passwd

Now check the md5sum of /bin/passwd.

# md5sum /bin/passwd
root@server [/usr/local/src]# md5sum jail_safe_passwd
33505ff8d7db7416ca95d425bc9a0536  jail_safe_passwd
root@server [/usr/local/src]# md5sum /bin/passwd 
33505ff8d7db7416ca95d425bc9a0536  /bin/passwd

Both the md5sum should match, in case of any mismatch you need to check /bin/passwd file.

Done 🙂

Post navigation

Heba Habeeb

Working as a Linux Server Admin, Infopark, Cochin, Kerala.

2 thoughts on “Checking Passwd infected Chkrootkit

Leave a Reply

Your email address will not be published. Required fields are marked *