Which of course makes for easy detection (lsattr -R), if you don't use chattr yourself.
Exactly. Almost all rooted servers I've seen have the modified binaries (that hide things) made immutable. Insanely stupid. I don't know anyone that uses immutability for anything under normal circumstances so immutable files will stand out.
A daily scan like this: find / -type f -exec lsattr -a {} \; | grep -- '----i'
will find all immutable files on your system.
Run it from a crontab and you'll get notified by mail. It produces no output when it doesn't find anything so you'll only get a mail when something i
Wow (Score:5, Insightful)
"other than a modified 'httpd' file,"
It's completely invisible, as long as you're blind.
chattr +i anyone? (Score:2)
chattr +i anyone?
just unchattr when you need to update httpd/apache
more interesting is where the hole/holes are in cpanel
Re: (Score:2)
interesting, the backdoor uses chattr
Re:chattr +i anyone? (Score:1)
Which of course makes for easy detection (lsattr -R), if you don't use chattr yourself.
Re: (Score:2)
Which of course makes for easy detection (lsattr -R), if you don't use chattr yourself.
Exactly. Almost all rooted servers I've seen have the modified binaries (that hide things) made immutable. Insanely stupid. I don't know anyone that uses immutability for anything under normal circumstances so immutable files will stand out.
A daily scan like this:
find / -type f -exec lsattr -a {} \; | grep -- '----i'
will find all immutable files on your system.
Run it from a crontab and you'll get notified by mail. It produces no output when it doesn't find anything so you'll only get a mail when something i