[NCLUG] Have I been cracked?

Kevin Fenzi kevin at scrye.com
Fri Oct 13 12:15:14 MDT 2006 

>>>>> "Stephen" == Stephen Warren <swarren at wwwdotorg.org> writes:

Stephen> I noticed something strange regarding one of the binaries on
Stephen> my CentOS 4.3 i386 system:

Stephen> What package owns this binary: [root at helium sbin]# rpm -qf
Stephen> /usr/sbin/htt iiimf-server-12.1-13.EL.3

Stephen> How big is this binary on my disk?  [root at helium sbin]# ls
Stephen> -lFa /usr/sbin/htt -rwxr-xr-x 1 root root 6836 Jan 1 2006
Stephen> /usr/sbin/htt*

Stephen> How big does RPM think it should be?  [root at helium sbin]# rpm
Stephen> -qlv iiimf-server -rwxr-xr-x 1 root root 4892 Jan 1 2006
Stephen> /usr/sbin/htt

Stephen> Tell RPM to verify the binary [root at helium sbin]# rpm -V
Stephen> iiimf-server

Stephen> Note that rpm -V prints nothing; apparently the binary
Stephen> matches just fine, even if the size is incorrect?! If I
Stephen> rename the file, then rpm -V complains it's missing. If I put
Stephen> some other random file there, rpm -V complains about an
Stephen> md5sum mismatch.

Stephen> Does anyone know what's up???

It could well be prelinking... the prelinking process changes the size
of binaries on disk, but rpm -V has been setup to understand that, so
it won't show them as changed.

see 'man prelink' for more info.

Stephen> The reason that I started looking at this is that we have a
Stephen> backup script that shuts down apache (amongst other things),
Stephen> creates an LVM snapshot of some LVM LVs, then restarts the
Stephen> services. Apache didn't restart this morning, because
Stephen> something else had bound to port 444 (which we use to run a
Stephen> second SSL "virtual" server).

Stephen> When I ran ps this morning, and grep'd for htt, I found
Stephen> /usr/sbin/htt (which apparently is a network server for some
Stephen> kind of multi-language input system but typically runs on
Stephen> port 9010).

Stephen> I attempted to start apache, and it wouldn't start. "netstat
Stephen> -an" showed something listening on port 444. I did "service
Stephen> stop iiimf-server", then apache would start, so I suppose it
Stephen> was /usr/bin/htt that had port 444 open.

Could be. Or might have just been the httpd took a while to exit and
release that port. Were there any httpd's running at all?

fuser -n tcp 444

should show the exact pid thats keeping tcp port 444 open.

Stephen> That *sounds* like someone infected htt with a trojan.

Could be.

You can also do a 'strings htt | less' and look for anything like
looks trojan like.

Stephen> Other things:

Stephen> On another CentOS machine, I downloaded the same version of
Stephen> the iiimf-server package. I also found the copy of the
Stephen> iiimf-server RPM that yum had cached on the affected
Stephen> server. The htt binary in both those RPMs matched, but did
Stephen> not match the installed binary on the affected system.  I'm
Stephen> assuming that rpm is not lying about the version of
Stephen> iiimf-server I have installed on that system...

It could be, or it could be prelinking has changed it's size on the
machine where it's been installed for a while (prelink runs nightly).

You might want to pull down rk-hunter or chkrootkit and run those
against your machine too.

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.nclug.org/pipermail/nclug/attachments/20061013/355ecff5/attachment.pgp>

More information about the NCLUG mailing list