Self-modifying coreutils
The server runs Centos 6.7 with WHM 54.0 (build 21) and CSF/LFD v8.16 which monitors various directories, including /bin and /usr/bin.
AT 4am yesterday, LFD notified me that /bin/ls and some other utils had changed. I knew this wasn't due to a cPanel update, as that runs at 4:30am, but I couldn't find out what had changed it, so I ran "yum reinstall coreutils". As expected, LFD then notified me that all the utils in that package had changed. However, at 4am this morning, it notified me that they had all been changed again. This time, before reinstalling them, I took a copy of /bin/ls, so I could compare it before and after, with this result:
Does cPanel require its own modified versions of those utilities, or could the server be compromised?
root@server1 [~]# cp -p /bin/ls .
root@server1 [~]# yum reinstall coreutils
Loaded plugins: fastestmirror, security
Setting up Reinstall Process
Loading mirror speeds from cached hostfile
* epel: fedora-epel.mirror.lstn.net
* rpmforge: mirror.team-cymru.org
Resolving Dependencies
--> Running transaction check
---> Package coreutils.x86_64 0:8.4-37.el6_7.3 will be reinstalled
--> Finished Dependency Resolution
Dependencies Resolved
===============================================================================================
Package Arch Version Repository Size
===============================================================================================
Reinstalling:
coreutils x86_64 8.4-37.el6_7.3 updates 3.0 M
Transaction Summary
===============================================================================================
Reinstall 1 Package(s)
Total download size: 3.0 M
Installed size: 12 M
Downloading Packages:
coreutils-8.4-37.el6_7.3.x86_64.rpm | 3.0 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : coreutils-8.4-37.el6_7.3.x86_64 1/1
Verifying : coreutils-8.4-37.el6_7.3.x86_64 1/1
Installed:
coreutils.x86_64 0:8.4-37.el6_7.3
Complete!
root@server1 [~]# ls -l /bin/ls ls
-rwxr-xr-x 1 root root 109208 Nov 10 09:43 /bin/ls*
-rwxr-xr-x 1 root root 117024 Nov 10 09:43 ls*
Does cPanel require its own modified versions of those utilities, or could the server be compromised?
-
Check /var/log/yum to verify if the package was installed or upgraded before you did so yourself. cPanel does not modify these binaries, so this isn't really looking very good from a security perspective. 0 -
See if any prelinking has been done. Do you have a /var/log/prelink/prelink.log file? Do you have a /etc/cron.daily/prelink file? 0 -
Yes, /etc/cron.daily/prelink is run from /etc/anacrontab with these parameters: RANDOM_DELAY=45 START_HOURS_RANGE=3-22 1 5 cron.daily nice run-parts /etc/cron.daily The log file was created at 03:43, which would explain why LFD reported the file system changes at 04:00. I think you've put my mind at rest, but I'd already reinstalled a few RPMs today, to check if their contents got modified again. Now that you've revealed the mechanism to me, I'll be able to check the log file in the morning to confirm that this is the case. Thank you very much! 0 -
Hello, Please see my post here regarding disabling Prelinking. 0 -
I've disabled prelinking, as documented in your post. I note that later you also suggest SELinux should be disabled. Do I have to be aware of any side-effects if I set SELINUX=disabled in /etc/sysconfig/selinux? Thanks 0 -
Do I have to be aware of any side-effects if I set SELINUX=disabled in /etc/sysconfig/selinux?
Hello :) We have a section SELinux just below the "Operating System" section of our system requirements document: Installation Guide - System Requirements - Documentation - cPanel Documentation It provides a link to additional SELinux documentation as well. Thank you.0
Please sign in to leave a comment.
Comments
6 comments