If you’re seeing output from your chkrootkit that says something like:
Checking `passwd'... INFECTED
And maybe (at the bottom):
INFECTED (PORTS: 465)
There’s a good change it’s a false positive but you need to check.
The way to check is see if the md5sum of your current passwd file matches the one distributed by CPanel.
1. Find CPanel Version
First of all you need to find your CPanel version number, so type this in SSH (as root):
The output will be something like:
11.52.2 (build 1)
To construct the full version number you need, add the build number to end of the version number, so in this case it will be: 184.108.40.206
2. Download CPanel’s version of the file
Now we need to get CPanel’s version of the file, so try:
Remember to change the number in the middle (220.127.116.11 in the above example) to the version number you got from step 1.
If that works, then unzip the file you downloaded with:
If all is well at this point move on to the next step.
If that wget download doesn’t work, don’t panic. Cpanel seem to have changed the compression they use, so try downloading the following instead:
Note that the file extension is xz rather than bz2.
Now decompress that file with:
3. Compare the checksums
First get the checksum of the file you just downloaded by typing:
You should see a code like:
Now run a checksum agains your live passwd file with:
If the code you get from that matches the code you get from the file you downloaded from CPanel, you’re okay and it was a false positive. If the codes don’t match you should investigate further – you may have a rootkit.