strange files, attack leftover?

[hoppel]

hello,

i found some strange files in my /usr/bin with a semicolon in their name, who in his mind would use that on purpose? the files are both related to suid-files which makes me especially suspicious:

[code]
# ll chsh*
-rwsr-xr-x 1 root root 20360 Jan 20 2010 chsh
-rw-r--r-- 1 root root 16184 Jan 20 2010 chsh;4b575e2f
# ll write*
-rwxr-sr-x 1 root tty 14400 Jan 20 2010 write
-rw-r--r-- 1 root root 10944 Jan 20 2010 write;4b575e87
-rw-r--r-- 1 root root 10944 Jan 21 2010 write;4b57984a

# file chsh\;4b575e2f
chsh;4b575e2f: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for
GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped

# ldd chsh\;4b575e2f
ldd: warning: you do not have execution permission for `./chsh;4b575e2f'
/usr/bin/ldd: line 116: ./chsh;4b575e2f: Permission denied
[/code][Moderator edit: Added [i]code[/i] tags to preserve formatting.]

any ideas?

hop

[pschaff]

[code]
[pschaffn@c5 ~]$ ls -lF /usr/bin/chsh* /usr/bin/write*
-rws--x--x 1 root root 19096 Jan 20 2010 /usr/bin/chsh*
-rwxr-sr-x 1 root tty 10984 Jan 20 2010 /usr/bin/write*
[pschaffn@c5 ~]$ rpm -qf /usr/bin/chsh
util-linux-2.13-0.52.el5_4.1.i386
[pschaffn@c5 ~]$ rpm -qf /usr/bin/write
util-linux-2.13-0.52.el5_4.1.i386
[pschaffn@c5 ~]$ rpm -V util-linux
S.?..... /usr/bin/chfn
S.?..... /usr/bin/chsh
[pschaffn@c5 ~]$ [/code]

What do you see?

Please show[code]
file /usr/bin/chsh /usr/bin/write
uname -rmi
rpm -q centos-release[/code]

[hoppel]

[code]
# ls -lF /usr/bin/chsh* /usr/bin/write*
-rwxr-xr-x 1 root root 20360 Jan 20 2010 /usr/bin/chsh*
-rw-r--r-- 1 root root 16184 Jan 20 2010 /usr/bin/chsh;4b575e2f
-rwxr-xr-x 1 root tty 14400 Jan 20 2010 /usr/bin/write*
-rw-r--r-- 1 root root 10944 Jan 20 2010 /usr/bin/write;4b575e87
-rw-r--r-- 1 root root 10944 Jan 21 2010 /usr/bin/write;4b57984a
[/code]
i've removed the setuid-flags because i didn't need them anyway.

[code]
# rpm -qf /usr/bin/chsh
util-linux-2.13-0.52.el5_4.1

rpm -qf /usr/bin/write
util-linux-2.13-0.52.el5_4.1
[/code]
next one is because of the removed setuid, if i restore that it shows nothing

[code]
# rpm -V util-linux
.M...... /usr/bin/chfn
.M...... /usr/bin/chsh
.M...... /usr/bin/write

# file /usr/bin/chsh /usr/bin/write
/usr/bin/chsh: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped
/usr/bin/write: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped

# uname -rmi
2.6.27.53rootserver-selbstgenudelt x86_64 x86_64
# rpm -q centos-release
centos-release-5-5.el5.centos
[/code]
kernel is self-compiled.

[hoppel]

found it (at least half of it): these files are created by rpm if it tries to update an exiting file which it can't change because of "chattr +i /usr/bin/write". i've done that ages ago after i removed the setuid-flag. strange thing, is that the +i was gone on write and chsh and the setuid was back.

[pschaff]

At least it seems you have determined that the damage was self-inflicted and not due to having been cracked.

[hoppel]

no real damage done, but do You know a better way than f.e. "chmod 0755 /usr/bin/write ; chattr +i /usr/bin/write" to avoid having setuid on /usr/bin/write which survives the next update of util-linux?

[pschaff]

I don't know a better way. I usually leave default file permissions unless I have a very good reason to change them, and a full understanding of the consequences. In this case I have neither. I presume you are doing it in the name of increased security.

[hoppel]

[quote]
pschaff wrote:
I don't know a better way. I usually leave default file permissions unless I have a very good reason to change them, and a full understanding of the consequences. In this case I have neither. I presume you are doing it in the name of increased security.[/quote]

the good reason would be:
http://en.wikipedia.org/wiki/Principle_of_least_privilege

and the last time i used write was about 15 years, chsh never.

[pschaff]

I understand the principle, but if in practice it causes breakage, then perhaps it is being misapplied. Maybe you don't need write or chsh, or depend on the default permissions, but other system components may.
[code]
# rpm -q --whatrequires util-linux
portmap-4.0-65.2.2.1
usermode-1.88-3.el5.2
prelink-0.4.0-2.el5
wdaemon-0.14-5
initscripts-8.45.30-2.el5.centos
hal-0.5.8.1-59.el5
[/code]
Layers of security are certainly good, but SELinux can go a long way toward preventing mischief.

[hoppel]

In practice SELinux also causes breakage. And i doubt any of those packages needs write or chsh, rather some more usefull binary of util-linux:

[font=Courier]
rpm -ql util-linux
/bin/arch
/bin/dmesg
/bin/kill
/bin/logger
/bin/login
/bin/more
/bin/mount
/bin/raw
/bin/taskset
/bin/umount
/etc/pam.d/chfn
/etc/pam.d/chsh
/etc/pam.d/login
/etc/pam.d/remote
/etc/udev/rules.d/60-raw.rules
/sbin/addpart
/sbin/agetty
/sbin/blockdev
/sbin/clock
/sbin/ctrlaltdel
/sbin/delpart
/sbin/fdisk
/sbin/fsck.cramfs
/sbin/hwclock
/sbin/losetup
/sbin/mkfs
/sbin/mkfs.cramfs
/sbin/mkswap
/sbin/nologin
/sbin/partx
/sbin/pivot_root
/sbin/sfdisk
/sbin/swapoff
/sbin/swapon
/usr/bin/cal
/usr/bin/chfn
/usr/bin/chrt
/usr/bin/chsh
/usr/bin/col
/usr/bin/colcrt
/usr/bin/colrm
/usr/bin/column
/usr/bin/ddate
/usr/bin/fdformat
/usr/bin/flock
/usr/bin/floppy
/usr/bin/getopt
/usr/bin/hexdump
/usr/bin/ionice
/usr/bin/ipcrm
/usr/bin/ipcs
/usr/bin/isosize
/usr/bin/kill
/usr/bin/logger
/usr/bin/look
/usr/bin/mcookie
/usr/bin/namei
/usr/bin/rename
/usr/bin/renice
/usr/bin/rev
/usr/bin/script
/usr/bin/setsid
/usr/bin/setterm
/usr/bin/tailf
/usr/bin/ul
/usr/bin/whereis
/usr/bin/write
/usr/sbin/hwclock
/usr/sbin/readprofile
/usr/sbin/tunelp
/usr/sbin/vigr
/usr/sbin/vipw
...
[/font]

Anyway, rpm should have a reasonable way to avoid unneeded setuid-programms.