Which of course makes for easy detection (lsattr -R), if you don't use chattr yourself.
Exactly. Almost all rooted servers I've seen have the modified binaries (that hide things) made immutable. Insanely stupid. I don't know anyone that uses immutability for anything under normal circumstances so immutable files will stand out.
A daily scan like this: find / -type f -exec lsattr -a {} \; | grep -- '----i'
will find all immutable files on your system.
Run it from a crontab and you'll get notified by mail. It produces no output when it doesn't find anything so you'll only get a mail when something is found.
Of course a rootkit may also modify lsattr and chattr but I've never heard of that (yet).
Wow (Score:5, Insightful)
"other than a modified 'httpd' file,"
It's completely invisible, as long as you're blind.
chattr +i anyone? (Score:2)
chattr +i anyone?
just unchattr when you need to update httpd/apache
more interesting is where the hole/holes are in cpanel
Re: (Score:2)
interesting, the backdoor uses chattr
Re: (Score:1)
Which of course makes for easy detection (lsattr -R), if you don't use chattr yourself.
Re:chattr +i anyone? (Score:2)
Which of course makes for easy detection (lsattr -R), if you don't use chattr yourself.
Exactly. Almost all rooted servers I've seen have the modified binaries (that hide things) made immutable. Insanely stupid. I don't know anyone that uses immutability for anything under normal circumstances so immutable files will stand out.
A daily scan like this:
find / -type f -exec lsattr -a {} \; | grep -- '----i'
will find all immutable files on your system.
Run it from a crontab and you'll get notified by mail. It produces no output when it doesn't find anything so you'll only get a mail when something is found.
Of course a rootkit may also modify lsattr and chattr but I've never heard of that (yet).