strange files, attack leftover?

Support for security such as Firewalls and securing linux
hoppel
Posts: 9
Joined: 2009/02/08 14:52:05

strange files, attack leftover?

Post by hoppel » 2010/09/08 15:58:36

hello,

i found some strange files in my /usr/bin with a semicolon in their name, who in his mind would use that on purpose? the files are both related to suid-files which makes me especially suspicious:

[code]
# ll chsh*
-rwsr-xr-x 1 root root 20360 Jan 20 2010 chsh
-rw-r--r-- 1 root root 16184 Jan 20 2010 chsh;4b575e2f
# ll write*
-rwxr-sr-x 1 root tty 14400 Jan 20 2010 write
-rw-r--r-- 1 root root 10944 Jan 20 2010 write;4b575e87
-rw-r--r-- 1 root root 10944 Jan 21 2010 write;4b57984a

# file chsh\;4b575e2f
chsh;4b575e2f: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for
GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped

# ldd chsh\;4b575e2f
ldd: warning: you do not have execution permission for `./chsh;4b575e2f'
/usr/bin/ldd: line 116: ./chsh;4b575e2f: Permission denied
[/code][Moderator edit: Added [i]code[/i] tags to preserve formatting.]

any ideas?

hop

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

strange files, attack leftover?

Post by pschaff » 2010/09/08 18:37:22

[code]
[pschaffn@c5 ~]$ ls -lF /usr/bin/chsh* /usr/bin/write*
-rws--x--x 1 root root 19096 Jan 20 2010 /usr/bin/chsh*
-rwxr-sr-x 1 root tty 10984 Jan 20 2010 /usr/bin/write*
[pschaffn@c5 ~]$ rpm -qf /usr/bin/chsh
util-linux-2.13-0.52.el5_4.1.i386
[pschaffn@c5 ~]$ rpm -qf /usr/bin/write
util-linux-2.13-0.52.el5_4.1.i386
[pschaffn@c5 ~]$ rpm -V util-linux
S.?..... /usr/bin/chfn
S.?..... /usr/bin/chsh
[pschaffn@c5 ~]$ [/code]

What do you see?

Please show[code]
file /usr/bin/chsh /usr/bin/write
uname -rmi
rpm -q centos-release[/code]

hoppel
Posts: 9
Joined: 2009/02/08 14:52:05

Re: strange files, attack leftover?

Post by hoppel » 2010/09/08 19:53:38

[code]
# ls -lF /usr/bin/chsh* /usr/bin/write*
-rwxr-xr-x 1 root root 20360 Jan 20 2010 /usr/bin/chsh*
-rw-r--r-- 1 root root 16184 Jan 20 2010 /usr/bin/chsh;4b575e2f
-rwxr-xr-x 1 root tty 14400 Jan 20 2010 /usr/bin/write*
-rw-r--r-- 1 root root 10944 Jan 20 2010 /usr/bin/write;4b575e87
-rw-r--r-- 1 root root 10944 Jan 21 2010 /usr/bin/write;4b57984a
[/code]
i've removed the setuid-flags because i didn't need them anyway.

[code]
# rpm -qf /usr/bin/chsh
util-linux-2.13-0.52.el5_4.1

rpm -qf /usr/bin/write
util-linux-2.13-0.52.el5_4.1
[/code]
next one is because of the removed setuid, if i restore that it shows nothing

[code]
# rpm -V util-linux
.M...... /usr/bin/chfn
.M...... /usr/bin/chsh
.M...... /usr/bin/write

# file /usr/bin/chsh /usr/bin/write
/usr/bin/chsh: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped
/usr/bin/write: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped

# uname -rmi
2.6.27.53rootserver-selbstgenudelt x86_64 x86_64
# rpm -q centos-release
centos-release-5-5.el5.centos
[/code]
kernel is self-compiled.

hoppel
Posts: 9
Joined: 2009/02/08 14:52:05

solved: Re: strange files, attack leftover?

Post by hoppel » 2010/09/09 19:05:45

found it (at least half of it): these files are created by rpm if it tries to update an exiting file which it can't change because of "chattr +i /usr/bin/write". i've done that ages ago after i removed the setuid-flag. strange thing, is that the +i was gone on write and chsh and the setuid was back.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: solved: Re: strange files, attack leftover?

Post by pschaff » 2010/09/12 14:39:59

At least it seems you have determined that the damage was self-inflicted and not due to having been cracked.

hoppel
Posts: 9
Joined: 2009/02/08 14:52:05

Re: solved: Re: strange files, attack leftover?

Post by hoppel » 2010/09/12 17:53:20

no real damage done, but do You know a better way than f.e. "chmod 0755 /usr/bin/write ; chattr +i /usr/bin/write" to avoid having setuid on /usr/bin/write which survives the next update of util-linux?

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: solved: Re: strange files, attack leftover?

Post by pschaff » 2010/09/12 20:00:35

I don't know a better way. I usually leave default file permissions unless I have a very good reason to change them, and a full understanding of the consequences. In this case I have neither. I presume you are doing it in the name of increased security.

hoppel
Posts: 9
Joined: 2009/02/08 14:52:05

Re: solved: Re: strange files, attack leftover?

Post by hoppel » 2010/09/12 21:09:48

[quote]
pschaff wrote:
I don't know a better way. I usually leave default file permissions unless I have a very good reason to change them, and a full understanding of the consequences. In this case I have neither. I presume you are doing it in the name of increased security.[/quote]

the good reason would be:
http://en.wikipedia.org/wiki/Principle_of_least_privilege

and the last time i used write was about 15 years, chsh never.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: solved: Re: strange files, attack leftover?

Post by pschaff » 2010/09/13 18:13:55

I understand the principle, but if in practice it causes breakage, then perhaps it is being misapplied. Maybe you don't need write or chsh, or depend on the default permissions, but other system components may.
[code]
# rpm -q --whatrequires util-linux
portmap-4.0-65.2.2.1
usermode-1.88-3.el5.2
prelink-0.4.0-2.el5
wdaemon-0.14-5
initscripts-8.45.30-2.el5.centos
hal-0.5.8.1-59.el5
[/code]
Layers of security are certainly good, but SELinux can go a long way toward preventing mischief.

hoppel
Posts: 9
Joined: 2009/02/08 14:52:05

Re: solved: Re: strange files, attack leftover?

Post by hoppel » 2010/09/13 19:59:08

In practice SELinux also causes breakage. And i doubt any of those packages needs write or chsh, rather some more usefull binary of util-linux:

[font=Courier]
rpm -ql util-linux
/bin/arch
/bin/dmesg
/bin/kill
/bin/logger
/bin/login
/bin/more
/bin/mount
/bin/raw
/bin/taskset
/bin/umount
/etc/pam.d/chfn
/etc/pam.d/chsh
/etc/pam.d/login
/etc/pam.d/remote
/etc/udev/rules.d/60-raw.rules
/sbin/addpart
/sbin/agetty
/sbin/blockdev
/sbin/clock
/sbin/ctrlaltdel
/sbin/delpart
/sbin/fdisk
/sbin/fsck.cramfs
/sbin/hwclock
/sbin/losetup
/sbin/mkfs
/sbin/mkfs.cramfs
/sbin/mkswap
/sbin/nologin
/sbin/partx
/sbin/pivot_root
/sbin/sfdisk
/sbin/swapoff
/sbin/swapon
/usr/bin/cal
/usr/bin/chfn
/usr/bin/chrt
/usr/bin/chsh
/usr/bin/col
/usr/bin/colcrt
/usr/bin/colrm
/usr/bin/column
/usr/bin/ddate
/usr/bin/fdformat
/usr/bin/flock
/usr/bin/floppy
/usr/bin/getopt
/usr/bin/hexdump
/usr/bin/ionice
/usr/bin/ipcrm
/usr/bin/ipcs
/usr/bin/isosize
/usr/bin/kill
/usr/bin/logger
/usr/bin/look
/usr/bin/mcookie
/usr/bin/namei
/usr/bin/rename
/usr/bin/renice
/usr/bin/rev
/usr/bin/script
/usr/bin/setsid
/usr/bin/setterm
/usr/bin/tailf
/usr/bin/ul
/usr/bin/whereis
/usr/bin/write
/usr/sbin/hwclock
/usr/sbin/readprofile
/usr/sbin/tunelp
/usr/sbin/vigr
/usr/sbin/vipw
...
[/font]

Anyway, rpm should have a reasonable way to avoid unneeded setuid-programms.

Post Reply

Return to “CentOS 5 - Security Support”