Chkrootkit output passwd infected

techie-iconIf you’re seeing output from your chkrootkit that says something like:

Checking `passwd'... INFECTED

And maybe (at the bottom):


There’s a good change it’s a false positive but you need to check.

The way to check is see if the md5sum of your current passwd file matches the one distributed by CPanel.

1. Find CPanel Version

First of all you need to find your CPanel version number, so type this in SSH (as root):

/usr/local/cpanel/cpanel -V

The output will be something like:

11.52.2 (build 1)

To construct the full version number you need, add the build number to end of the version number, so in this case it will be:

2. Download CPanel’s version of the file

Now we need to get CPanel’s version of the file, so try:


Remember to change the number in the middle ( in the above example) to the version number you got from step 1.

If that works, then unzip the file you downloaded with:

bzunzip jail_safe_passwd.bz2

If all is well at this point move on to the next step.

If that wget download doesn’t work, don’t panic. Cpanel seem to have changed the compression they use, so try downloading the following instead:


Note that the file extension is xz rather than bz2.

Now decompress that file with:

unxz jail_safe_passwd.xz

3. Compare the checksums

First get the checksum of the file you just downloaded by typing:

md5sum jail_safe_passwd

You should see a code like:

2c31eb9e327aad5f9099d73108df450d  jail_safe_passwd

Now run a checksum agains your live passwd file with:

md5sum /bin/passwd

If the code you get from that matches the code you get from the file you downloaded from CPanel, you’re okay and it was a false positive. If the codes don’t match you should investigate further – you may have a rootkit.

Leave a Reply