Checking Passwd infected Chkrootkit
Many of you have experienced this error when you run chkrootkit scan on your cPanel server. Here is a sample output:
[email protected] [~/chkrootkit]# ./chkrootkit -q | grep -v registry Checking `passwd'... INFECTED INFECTED (PORTS: 465)
In most cases, these are false positives. Well, we should know how to determine if it’s a false positive or not. For that we need to check the md5sum of /bin/passwd which is a symbolic link to /usr/local/cpanel/bin/jail_safe_passwd with that of cPanel provided one.
First, download the cPanel provided jail_safe_passwd to your server:
# wget http://httpupdate.cpanel.net/cpanelsync/126.96.36.199/binaries/linux-c6-x86_64/bin/jail_safe_passwd.xz
Note: Check the cPanel version of your server before downloading the jail_safe_passwd.xz. In my case the cPanel version was 11.52. If you have any other version you can download the corresponding tar file from the following URL: http://httpupdate.cpanel.net/cpanelsync/
Untar the downloaded archive file
# unxz jail_safe_passwd.xz
Check the md5sum
# md5sum jail_safe_passwd
Now check the md5sum of /bin/passwd.
# md5sum /bin/passwd
[email protected] [/usr/local/src]# md5sum jail_safe_passwd 33505ff8d7db7416ca95d425bc9a0536 jail_safe_passwd [email protected] [/usr/local/src]# md5sum /bin/passwd 33505ff8d7db7416ca95d425bc9a0536 /bin/passwd
Both the md5sum should match, in case of any mismatch you need to check /bin/passwd file.