[NCLUG] Have I been cracked?

Stephen Warren swarren at wwwdotorg.org
Fri Oct 13 11:04:13 MDT 2006 

I noticed something strange regarding one of the binaries on my CentOS
4.3 i386 system:

What package owns this binary:
[root at helium sbin]# rpm -qf /usr/sbin/htt
iiimf-server-12.1-13.EL.3

How big is this binary on my disk?
[root at helium sbin]# ls -lFa /usr/sbin/htt
-rwxr-xr-x  1 root root 6836 Jan  1  2006 /usr/sbin/htt*

How big does RPM think it should be?
[root at helium sbin]# rpm -qlv iiimf-server
-rwxr-xr-x    1 root    root             4892 Jan  1  2006 /usr/sbin/htt

Tell RPM to verify the binary
[root at helium sbin]# rpm -V iiimf-server

Note that rpm -V prints nothing; apparently the binary matches just
fine, even if the size is incorrect?! If I rename the file, then rpm -V
complains it's missing. If I put some other random file there, rpm -V
complains about an md5sum mismatch.

Does anyone know what's up???

The reason that I started looking at this is that we have a backup
script that shuts down apache (amongst other things), creates an LVM
snapshot of some LVM LVs, then restarts the services. Apache didn't
restart this morning, because something else had bound to port 444
(which we use to run a second SSL "virtual" server).

When I ran ps this morning, and grep'd for htt, I found /usr/sbin/htt
(which apparently is a network server for some kind of multi-language
input system but typically runs on port 9010).

I attempted to start apache, and it wouldn't start. "netstat -an" showed
something listening on port 444. I did "service stop iiimf-server", then
apache would start, so I suppose it was /usr/bin/htt that had port 444 open.

That *sounds* like someone infected htt with a trojan.

Other things:

On another CentOS machine, I downloaded the same version of the
iiimf-server package. I also found the copy of the iiimf-server RPM that
yum had cached on the affected server. The htt binary in both those RPMs
matched, but did not match the installed binary on the affected system.
I'm assuming that rpm is not lying about the version of iiimf-server I
have installed on that system...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nclug.org/pipermail/nclug/attachments/20061013/5be84f3e/attachment.pgp>

More information about the NCLUG mailing list