Checking Passwd infected Chkrootkit

Many of you have experienced this error when you run chkrootkit scan on your cPanel server. Here is a sample output:

[email protected] [~/chkrootkit]# ./chkrootkit -q | grep -v registry
Checking `passwd'... INFECTED


In most cases, these are false positives. Well, we should know how to determine if it’s a false positive or not. For that we need to check the md5sum of /bin/passwd which is a symbolic link to /usr/local/cpanel/bin/jail_safe_passwd with that of cPanel provided one.

First, download the cPanel provided jail_safe_passwd to your server:

# wget

Note: Check the cPanel version of your server before downloading the jail_safe_passwd.xz. In my case the cPanel version was 11.52. If you have any other version you can download the corresponding tar file from the following URL:

Untar the downloaded archive file

# unxz jail_safe_passwd.xz

Check the md5sum

# md5sum jail_safe_passwd

Now check the md5sum of /bin/passwd.

# md5sum /bin/passwd
[email protected] [/usr/local/src]# md5sum jail_safe_passwd
33505ff8d7db7416ca95d425bc9a0536  jail_safe_passwd
[email protected] [/usr/local/src]# md5sum /bin/passwd 
33505ff8d7db7416ca95d425bc9a0536  /bin/passwd

Both the md5sum should match, in case of any mismatch you need to check /bin/passwd file.

Done 🙂

Heba Habeeb

Working as a Linux Server Admin, Infopark, Cochin, Kerala.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *