That won't work for this particular attack surface, because cPanel installs Apache itself and doesn't use a package manager. As far as rpm is concerned, Apache isn't installed to verify.
In our previous posts, we recommended the utilization of tools like “rpm -Va” or “rpm -qf” or “dpkg -S” to see if the Apache modules were modified. However, those techniques won’t work against this backdoor. Since cPanel installs Apache inside/usr/local/apache and does not utilize the package managers, there is no single and simple command to detect if the Apache binary was modified.
Yeah, you'd be vulnerable if your apache installation is done using cpanel (as many hosting providers are).
rkhunter and chkrootkit as a quick example. two tools which are more or less set and forget, and which also target workstation users. (Done in background periodically, no interaction required, except running a small command after an update to avoid triggering false positive in one case)
Probably hundreds of sysadmin-oriented tools can do it too.
(checking files for modification is a very sane step to protect against corruption and possible compromise)
having the/usr mount read-only and only/var,/tmp & co read-write is a rather sane measure which is also wide spread (not only on big server farms, on the technical grounds that the/usr might be served over the network. but even some smart-phone do it, webOS for example)
On the other hand, a trojan targeting Linux is a proof that Linux server *are* a very valuable infection target, and lower markter share at the desktop isn't the only valid argument explaining the scarcity of Linux viruses.
And I liked how they left out whatever it inserts (or deletes from) the httpd.conf file
On cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one.
So tell us what exactly it inserts (or deletes from) the httpd.conf file without modifying the Apache configuration?
The timestamp, permissions and owner are the same as the rest of the associated files (this infection isn't stupid). I'm sure you could use your x-ray vision to see that it's been replaced by a malicious copy. Please share your expertise with the rest of us.
rpm -V also checks the MD5 sum of the file - if it's been modified, it should flag a difference in checksums, even if every other bit of metadata is the same.
That said, it's quite easy to believe that lots of people aren't running "rpm -V httpd" regularly on their Linux servers, so all the people responding "DUH, NOOBZ" just sound like dicks. Next time, they should probably try showing off their deep knowledge of rpm by helpfully suggesting "rpm -V will find this, and you should be running this on all your
Half right. It doesn't say "the checksum doesn't change" - it points out that cPanel doesn't use a packaging system to install apache - and so rpm -V won't detect changes made to files that weren't installed by rpm in the first place.
Tripwire (or other similar admin tools) can easily detect changes to the binary since a known-good baseline was taken, and report those out to you, as well.
I read and searched TFA (net-security.org and blog.sucuri.net), and the words "sum", "hash", and "checksum" do not occur on either page.
The closest it comes is saying that the timestamp is the same as the original, and that rpm -V won't work IF you use cPanel--because that's outside the package management system.
They suggest grepping for open_tty, though it would be possible to circumvent that with upx... in which case file would report a corrupted ELF file.
Any host-based intrusion detection system will have a hash of the executable, and will report when it changes. This is not some new cutting-edge security precaution, it's routine for many, many installations.
Interestingly enough the modified httpd is apparently write protected the same way. At least according to a google translation of a new article referenced from the wikipedia article on cPanel. http://en.wikipedia.org/wiki/CPanel#cite_note-11
Which of course makes for easy detection (lsattr -R), if you don't use chattr yourself.
Exactly. Almost all rooted servers I've seen have the modified binaries (that hide things) made immutable. Insanely stupid. I don't know anyone that uses immutability for anything under normal circumstances so immutable files will stand out.
A daily scan like this: find / -type f -exec lsattr -a {} \; | grep -- '----i'
will find all immutable files on your system.
Run it from a crontab and you'll get notified by mail. It produces no output when it doesn't find anything so you'll only get a mail when something i
"I have just one word for you, my boy...plastics."
- from "The Graduate"
Wow (Score:5, Insightful)
"other than a modified 'httpd' file,"
It's completely invisible, as long as you're blind.
Re:Wow (Score:5, Insightful)
when was the last time you checked your httpd file?
Re:Wow (Score:4, Informative)
rpm -V httpd ?
Not that difficult to put in a cron job.
Re:Wow (Score:4, Interesting)
Who even does that in the first place? OpenBSD gives you a daily email containing all changes to config files that have occurred.
Re:Wow (Score:5, Informative)
Re:Wow (Score:5, Informative)
rpm -V httpd ?
That won't work for this particular attack surface, because cPanel installs Apache itself and doesn't use a package manager. As far as rpm is concerned, Apache isn't installed to verify.
Re:Wow (Score:5, Insightful)
The solution to this is be a big boy and don't use cPanel.
Re:Wow (Score:4, Informative)
rpm -V httpd ?
Not that difficult to put in a cron job.
Cited FA [sucuri.net]:
In our previous posts, we recommended the utilization of tools like “rpm -Va” or “rpm -qf” or “dpkg -S” to see if the Apache modules were modified. However, those techniques won’t work against this backdoor. Since cPanel installs Apache inside /usr/local/apache and does not utilize the package managers, there is no single and simple command to detect if the Apache binary was modified.
Yeah, you'd be vulnerable if your apache installation is done using cpanel (as many hosting providers are).
Re:Wow (Score:5, Informative)
when was the last time you checked your httpd file?
If you're using tripwire or another similar tool and its properly configured, then you should be notified of file changes.
As long as you're paying attention, this doesn't seem like much of an issue.
Just of the top of my head... (Score:4, Informative)
rkhunter and chkrootkit as a quick example.
two tools which are more or less set and forget, and which also target workstation users.
(Done in background periodically, no interaction required, except running a small command after an update to avoid triggering false positive in one case)
Probably hundreds of sysadmin-oriented tools can do it too.
(checking files for modification is a very sane step to protect against corruption and possible compromise)
having the /usr mount read-only and only /var, /tmp & co read-write is a rather sane measure which is also wide spread (not only on big server farms, on the technical grounds that the /usr might be served over the network. but even some smart-phone do it, webOS for example)
On the other hand, a trojan targeting Linux is a proof that Linux server *are* a very valuable infection target, and lower markter share at the desktop isn't the only valid argument explaining the scarcity of Linux viruses.
Re: (Score:3)
when was the last time you checked your httpd file?
This morning, debsum and rkhunter didn't report anything that requires attention.
Re: (Score:2)
Mine is checked daily by debsums, along with all other binaries.
Re: (Score:3)
And I liked how they left out whatever it inserts (or deletes from) the httpd.conf file
So tell us what exactly it inserts (or deletes from) the httpd.conf file without modifying the Apache configuration?
Re: (Score:1)
The timestamp, permissions and owner are the same as the rest of the associated files (this infection isn't stupid). I'm sure you could use your x-ray vision to see that it's been replaced by a malicious copy. Please share your expertise with the rest of us.
md5sum /usr/sbin/httpd
Re: (Score:3)
rpm -V also checks the MD5 sum of the file - if it's been modified, it should flag a difference in checksums, even if every other bit of metadata is the same.
That said, it's quite easy to believe that lots of people aren't running "rpm -V httpd" regularly on their Linux servers, so all the people responding "DUH, NOOBZ" just sound like dicks. Next time, they should probably try showing off their deep knowledge of rpm by helpfully suggesting "rpm -V will find this, and you should be running this on all your
You are the noob (Score:2)
Re: (Score:2)
Half right. It doesn't say "the checksum doesn't change" - it points out that cPanel doesn't use a packaging system to install apache - and so rpm -V won't detect changes made to files that weren't installed by rpm in the first place.
Tripwire (or other similar admin tools) can easily detect changes to the binary since a known-good baseline was taken, and report those out to you, as well.
Re: (Score:1)
I read and searched TFA (net-security.org and blog.sucuri.net), and the words "sum", "hash", and "checksum" do not occur on either page.
The closest it comes is saying that the timestamp is the same as the original, and that rpm -V won't work IF you use cPanel--because that's outside the package management system.
They suggest grepping for open_tty, though it would be possible to circumvent that with upx...
in which case file would report a corrupted ELF file.
Re: (Score:2)
Well for n00bs like you, yes. you will never see it.
The rest of us get a tripwire alert that a watched binary was changed. You are using security software on your publicly accessed servers right?
Re: (Score:2)
Any host-based intrusion detection system will have a hash of the executable, and will report when it changes. This is not some new cutting-edge security precaution, it's routine for many, many installations.
chattr +i anyone? (Score:2)
chattr +i anyone?
just unchattr when you need to update httpd/apache
more interesting is where the hole/holes are in cpanel
Re: (Score:1)
Interestingly enough the modified httpd is apparently write protected the same way. At least according to a google translation of a new article referenced from the wikipedia article on cPanel. http://en.wikipedia.org/wiki/CPanel#cite_note-11
Re: (Score:2)
interesting, the backdoor uses chattr
Re: (Score:1)
Which of course makes for easy detection (lsattr -R), if you don't use chattr yourself.
Re: (Score:2)
Which of course makes for easy detection (lsattr -R), if you don't use chattr yourself.
Exactly. Almost all rooted servers I've seen have the modified binaries (that hide things) made immutable. Insanely stupid. I don't know anyone that uses immutability for anything under normal circumstances so immutable files will stand out.
A daily scan like this:
find / -type f -exec lsattr -a {} \; | grep -- '----i'
will find all immutable files on your system.
Run it from a crontab and you'll get notified by mail. It produces no output when it doesn't find anything so you'll only get a mail when something i