It's completely invisible, as long as you're blind.
The timestamp, permissions and owner are the same as the rest of the associated files (this infection isn't stupid). I'm sure you could use your x-ray vision to see that it's been replaced by a malicious copy. Please share your expertise with the rest of us.
rpm -V also checks the MD5 sum of the file - if it's been modified, it should flag a difference in checksums, even if every other bit of metadata is the same.
That said, it's quite easy to believe that lots of people aren't running "rpm -V httpd" regularly on their Linux servers, so all the people responding "DUH, NOOBZ" just sound like dicks. Next time, they should probably try showing off their deep knowledge of rpm by helpfully suggesting "rpm -V will find this, and you should be running this on all your systems regularly," rather than shitting up the comment thread with "I'm not vulnerable, anybody who is must be a fucking idiot."
TFA actually says that "rpm -V" (or debsums or whatever) doesn't detect it because the vulnerable software is not installed through the package manager, and so is not present in the package database. It's still a modified executable, so tripwire or another host-based intrusion detection system will see it, if it's configured to monitor stuff in/usr/local.
I read TFA..and the article they point to and then the article that *that* article points to and none of them say anything about the checksum....EXCEPT...
"We also recommend using debsums for Debian or Ubuntu systems and `rpm –verify` for RPM based systems, to verify the integrity of your Apache web server package installation. (However, remember to temper this advice with the reality that the package
Half right. It doesn't say "the checksum doesn't change" - it points out that cPanel doesn't use a packaging system to install apache - and so rpm -V won't detect changes made to files that weren't installed by rpm in the first place.
Tripwire (or other similar admin tools) can easily detect changes to the binary since a known-good baseline was taken, and report those out to you, as well.
I read and searched TFA (net-security.org and blog.sucuri.net), and the words "sum", "hash", and "checksum" do not occur on either page.
The closest it comes is saying that the timestamp is the same as the original, and that rpm -V won't work IF you use cPanel--because that's outside the package management system.
They suggest grepping for open_tty, though it would be possible to circumvent that with upx... in which case file would report a corrupted ELF file.
Wow (Score:5, Insightful)
"other than a modified 'httpd' file,"
It's completely invisible, as long as you're blind.
Re: (Score:0)
"other than a modified 'httpd' file,"
It's completely invisible, as long as you're blind.
The timestamp, permissions and owner are the same as the rest of the associated files (this infection isn't stupid). I'm sure you could use your x-ray vision to see that it's been replaced by a malicious copy. Please share your expertise with the rest of us.
Re:Wow (Score:3)
rpm -V also checks the MD5 sum of the file - if it's been modified, it should flag a difference in checksums, even if every other bit of metadata is the same.
That said, it's quite easy to believe that lots of people aren't running "rpm -V httpd" regularly on their Linux servers, so all the people responding "DUH, NOOBZ" just sound like dicks. Next time, they should probably try showing off their deep knowledge of rpm by helpfully suggesting "rpm -V will find this, and you should be running this on all your systems regularly," rather than shitting up the comment thread with "I'm not vulnerable, anybody who is must be a fucking idiot."
You are the noob (Score:2)
Re: (Score:0)
TFA actually says that "rpm -V" (or debsums or whatever) doesn't detect it because the vulnerable software is not installed through the package manager, and so is not present in the package database. It's still a modified executable, so tripwire or another host-based intrusion detection system will see it, if it's configured to monitor stuff in /usr/local.
Re: (Score:0)
I read TFA..and the article they point to and then the article that *that* article points to and none of them say anything about the checksum....EXCEPT...
http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/
"We also recommend using debsums for Debian or Ubuntu systems and `rpm –verify` for RPM based systems, to verify the integrity of your Apache web server package installation. (However, remember to temper this advice with the reality that the package
Re: (Score:2)
Half right. It doesn't say "the checksum doesn't change" - it points out that cPanel doesn't use a packaging system to install apache - and so rpm -V won't detect changes made to files that weren't installed by rpm in the first place.
Tripwire (or other similar admin tools) can easily detect changes to the binary since a known-good baseline was taken, and report those out to you, as well.
Re: (Score:1)
I read and searched TFA (net-security.org and blog.sucuri.net), and the words "sum", "hash", and "checksum" do not occur on either page.
The closest it comes is saying that the timestamp is the same as the original, and that rpm -V won't work IF you use cPanel--because that's outside the package management system.
They suggest grepping for open_tty, though it would be possible to circumvent that with upx...
in which case file would report a corrupted ELF file.
Re: (Score:0)
debsums does the same for debian/ubuntu users by the way.