unexpected /bin/su permission changed

leonep

• July 13, 2018 05:23

Hi, Today i have warning message from RkHunter: Warning: The file properties have changed: File: /bin/su Current permissions: 4750 Stored permissions: 4755 Current gid: 10 Stored gid: 0 The last update about coreutils was on 3 July: root@host1 [/bin]# grep coreutils /var/log/yum.log Jul 03 22:02:07 Updated: coreutils-libs-8.4-47.el6.x86_64 Jul 03 22:02:09 Updated: coreutils-8.4-47.el6.x86_64 root@host1 [/]# ls -l /bin/su -rwsr-x--- 1 root wheel 34904 Jun 19 17:15 /bin/su* I would like to understand if this change can be safe or need investigation........ thanks

• 

  cPanelLauren

  • July 13, 2018 14:00

  Hi @leonep While I don't know what caused rkhunter to see the change - those are the correct permissions for /bin/su I double checked on two separate test servers: [root@server ~]# stat /bin/su File: "/bin/su" Size: 32184 Blocks: 64 IO Block: 4096 regular file Device: fd01h/64769d Inode: 925656 Links: 1 Access: (4750/-rwsr-x---) Uid: ( 0/ root) Gid: ( 10/ wheel) Access: 2018-07-12 13:21:55.220225691 +0000 Modify: 2018-04-11 06:50:28.000000000 +0000 Change: 2018-07-12 05:18:25.358119535 +0000 Birth: -
[root@v70 ~]# stat /bin/su File: "/bin/su" Size: 32184 Blocks: 64 IO Block: 4096 regular file Device: fd01h/64769d Inode: 86162 Links: 1 Access: (4750/-rwsr-x---) Uid: ( 0/ root) Gid: ( 10/ wheel) Access: 2018-04-11 01:50:28.000000000 -0500 Modify: 2018-04-11 01:50:28.000000000 -0500 Change: 2018-07-04 14:48:51.489026149 -0500 Birth: -
  Thanks!

  0
• 

  leonep

  • July 13, 2018 14:17

  thanks lauren, this is the stat of my file: root@host1 [~]# stat /bin/su File: `/bin/su' Size: 34904 Blocks: 72 IO Block: 4096 regular file Device: 902h/2306d Inode: 587602 Links: 1 Access: (4750/-rwsr-x---) Uid: ( 0/ root) Gid: ( 10/ wheel) Access: 2018-07-12 22:07:44.000000000 +0200 Modify: 2018-06-19 17:15:49.000000000 +0200 Change: 2018-07-12 22:02:15.000000000 +0200
  

  0
• 

  cPanelLauren

  • July 13, 2018 14:22

  Hi @leonep Perms/ownership looks fine - this is what it should be. What time did rkhunter run? Whatever change was made happened last night at 10 Thanks!

  0
• 

  leonep

  • July 13, 2018 14:50

  this is rkhunter.log, it found something around 4 in the morning... [03:58:52] Info: Start date is Fri Jul 13 03:58:52 CEST 2018 ...... ...... [03:59:05] /bin/su [ Warning ] [03:59:05] Warning: The file properties have changed: [03:59:05] File: /bin/su [03:59:05] Current permissions: 4750 Stored permissions: 4755 [03:59:05] Current gid: 10 Stored gid: 0 ....... ....... [04:00:20] Info: End date is Fri Jul 13 04:00:20 CEST 2018
  stored permission was wrong, maybe upcp or system restored correct permission ... !?! Is the file content unchanged ?

  0
• 

  cPanelLauren

  • July 13, 2018 15:07

  It wouldn't be unlikely for upcp to have restored the permission of this and the size of yours is different than that of both my test servers. You can't check the contents directly. If there was some sort of compromise I would anticipate rkhunter finding more than just the perms/ownership on that file being modified from 755 ->750 and GID being changed from 0 (root) to the wheel group. Thanks!

  0
• 

  leonep

  • July 13, 2018 15:36

  i agree it seems a fix.. i will monitor the server thanks Lauren

  0
• 

  cPanelLauren

  • July 13, 2018 15:47

  Hi @leonep Good plan, you're most welcome! Thanks!

  0

Please sign in to leave a comment.