Hacked? A slew of BIN/SBIN files updated while I was asleep...
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hacked? A slew of BIN/SBIN files updated while I was asleep...
Hi All,
I can't tell if my webserver has been compromised. Overnight, while I slept, some files in BIN / SBIN folders updated and have now failed CSF/LFD's MD5 checksum. I do not have any OS auto-updates set up (that I know of). Here is the list of files:
I think RKHunter has updated but you didn't run it with the --propupd parameter. The same thing happened to me when I updated to the latest version. All of a sudden all the programs were flagged while that particular server doesn't even have access or is accessible to/from the internet.
If you're sure that you didn't change anything like dist-upgrade I'd rebuild the RKHunter database by using rkhunter --propupd and then have it check again.
I second the --propupd part (your log is incomplete) ...besides that having everything being flagged as changed would not fit the "usual" cracker MO (as in trying to keep a low profile). I'd run your distro's package management verification if its got any.
I didn't have RKHunter installed until today when I thought I had a secuirty issue. I did start with the --propupd switch to begin, per RKHunter's readme file. I just ran it with the switch again and will attach the new result.
I am certain that I didn't trigger the file updates. My last update was the day before. I would like to follow this idea, "I'd run your distro's package management verification if its got any," but I don't know how to go about it. May I ask to please be pointed in the proper direction for CentOS 5.4 aqnd I'll take it from there?
A little more background: the checksum anomalies were brough to my attention by the LFD module of ConfigServer Security and Firewall (http://www.configserver.com/cp/csf.html). I don't know if that helps.
Lastly, the RKHunter log lines that have me most concerned are the following:
"Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable."
"Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable"
Should I be concerned? To this layman, those sound BAD.
Lastly, the RKHunter log lines that have me most concerned are the following:
"Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable."
"Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable"
Hello,
If I recall correct RKHunter checks if a binary version of a command is replaced by an executable script. If so like in this case you can white-list those in the RKHunter configuration file. You should not be worried about this if it's the first time you run RKHunter.
In regards to the LFD module of ConfigServer Security and Firewall part of your post; sorry don't know that one. Hopefully someone can shed some light there.
I didn't have RKHunter installed until today when I thought I had a secuirty issue. I did start with the --propupd switch to begin, per RKHunter's readme file. I just ran it with the switch again and will attach the new result.
Usually one would install some form of filesystem integrity verification method *before* an (perceived) breach of security and only update it *after* all warnings were verified.
Quote:
Originally Posted by open4biz
CentOS 5.4
That'll be 'rpm --verify' as in 'rpm -Vva > /tmp/rpmvva.log 2>&1'.
Quote:
Originally Posted by open4biz
".*has been replaced by a script"
See the Rootkit Hunter FAQ, search this LQ forum and see the rkhunter-users mailing list archives?
Usually one would install some form of filesystem integrity verification method *before* an (perceived) breach of security and only update it *after* all warnings were verified.
I thought I was covered by CSF/LFD. I am now broadening the security approach. I can't tell if there's egg on my face... yet.
Quote:
Originally Posted by unSpawn
That'll be 'rpm -Vva > /tmp/rpmvva.log 2>&1'.
That ran for a couple minutes and then went back to the prompt. Is there I log where I may see the results?
Hmmmm, I found the yum log while plunking around. It shows I updated the glibc library yesterday. Would that have anything to do with the checksum errors above? The Dec 18 files were done so at 11:00am, to see if Yum could address the problem.
Code:
(Day in question = Dec 18 at 5:00am those files started failing the checksum verification)
Dec 17 08:57:51 Updated: glibc-common-2.5-42.el5_4.2.i386
Dec 17 08:58:07 Updated: glibc-2.5-42.el5_4.2.i686
Dec 17 08:58:08 Updated: nscd-2.5-42.el5_4.2.i386
Dec 17 08:58:09 Updated: glibc-headers-2.5-42.el5_4.2.i386
Dec 17 08:58:12 Updated: glibc-devel-2.5-42.el5_4.2.i386
Dec 18 11:08:03 Updated: expat-1.95.8-8.3.el5_4.2.i386
Dec 18 11:08:09 Updated: samba-common-3.0.33-3.15.el5_4.1.i386
Dec 18 11:08:10 Updated: openssh-4.3p2-36.el5_4.3.i386
Dec 18 11:08:11 Updated: libtool-ltdl-1.5.22-7.el5_4.i386
Dec 18 11:08:12 Updated: kpartx-0.4.7-30.el5_4.4.i386
Dec 18 11:08:23 Updated: samba-3.0.33-3.15.el5_4.1.i386
Dec 18 11:08:25 Updated: samba-client-3.0.33-3.15.el5_4.1.i386
Dec 18 11:08:26 Updated: openssh-clients-4.3p2-36.el5_4.3.i386
Dec 18 11:08:26 Updated: openssh-server-4.3p2-36.el5_4.3.i386
Dec 18 11:08:27 Updated: expat-devel-1.95.8-8.3.el5_4.2.i386
Dec 18 11:08:28 Updated: device-mapper-multipath-0.4.7-30.el5_4.4.i386
You might try running chkrootkit, rkhunter tends to show weird things that aren't actually an issue.
Using something like tripwire, samhain or aide would probably be a good idea as well, especially on a server connected to the internet. As well as using selinux and perhaps even Bastille to help lock things down.
I thought I was covered by CSF/LFD. I am now broadening the security approach.
It seems ConfigServer Firewall / Login Failure Daemon does include a rudimentary form of Intrusion detection system (csf.conf: LF_INTEGRITY). As far as I can see however it does only MD5 hash comparison. That is kind of weak: if you compare that with any more useful HIDS you'll find testing for multiple attributes and their changes makes it easier to help you determine what happened. This however should not mean that you should rush out and install all sorts of applications right now as some may suggest. Without proper verification of the system beforehand that will be an exercise in futility.
Quote:
Originally Posted by open4biz
Is there I log where I may see the results?
That'll be "/tmp/rpmvva.log". Read it like 'grep -v "^\.\{8\}" /tmp/rpmvva.log | less' to avoid listing files your RPMDB verified as unchanged.
You might try running chkrootkit, rkhunter tends to show weird things that aren't actually an issue.
"I think", "don't worry", "no issue" and "overly paranoid" are typically fuzzy human ways to dismiss things without having to explain them. Saying just "weird things that aren't actually an issue" does not help the OP to find out for himself. If a tool shows scan results that one verified are not an issue then one should adjust. In this case the whitelisting options in rkhunter.conf. If one doesn't (want to) understand the tools one runs then what's the point of running them anyway?..
Quote:
Originally Posted by craigevil
Using something like tripwire, samhain or aide would probably be a good idea as well, especially on a server connected to the internet. As well as using selinux and perhaps even Bastille to help lock things down.
Any reflexes to install things should be controlled until the machine is verified clean.
Well... it happened again. The next day, I awoke to a new set of file updates:
Time: Sat Dec 19 05:00:21 2009 -0800
The following list of files have FAILED the md5sum comparision test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:
Do these files make sense for someone with nefarious purposes to play with? Or.. could this be part of an automatic update of some kind, that I'm not aware of? Here are my server's currently running processes:
Do these files make sense for someone with nefarious purposes to play with? Or.. could this be part of an automatic update of some kind, that I'm not aware of?
I explained the weakness of using the intrusion detection part of ConfigServer Firewall / Login Failure Daemon and I also explained one way of verifying your installation. I suggest you go do that, study the results (ask if unsure), compare changes with any updates installed (logs?), then disable the CSF/LFD intrusion detection part (csf.conf) and install mature, maintained and supported filesystem integrity verification software like Samhain, Aide or even tripwire.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
