That won't work for this particular attack surface, because cPanel installs Apache itself and doesn't use a package manager. As far as rpm is concerned, Apache isn't installed to verify.
In our previous posts, we recommended the utilization of tools like “rpm -Va” or “rpm -qf” or “dpkg -S” to see if the Apache modules were modified. However, those techniques won’t work against this backdoor. Since cPanel installs Apache inside/usr/local/apache and does not utilize the package managers, there is no single and simple command to detect if the Apache binary was modified.
Yeah, you'd be vulnerable if your apache installation is done using cpanel (as many hosting providers are).
rkhunter and chkrootkit as a quick example. two tools which are more or less set and forget, and which also target workstation users. (Done in background periodically, no interaction required, except running a small command after an update to avoid triggering false positive in one case)
Probably hundreds of sysadmin-oriented tools can do it too.
(checking files for modification is a very sane step to protect against corruption and possible compromise)
having the/usr mount read-only and only/var,/tmp & co read-write is a rather sane measure which is also wide spread (not only on big server farms, on the technical grounds that the/usr might be served over the network. but even some smart-phone do it, webOS for example)
On the other hand, a trojan targeting Linux is a proof that Linux server *are* a very valuable infection target, and lower markter share at the desktop isn't the only valid argument explaining the scarcity of Linux viruses.
Wow (Score:5, Insightful)
"other than a modified 'httpd' file,"
It's completely invisible, as long as you're blind.
Re:Wow (Score:5, Insightful)
when was the last time you checked your httpd file?
Re:Wow (Score:4, Informative)
rpm -V httpd ?
Not that difficult to put in a cron job.
Re:Wow (Score:4, Interesting)
Who even does that in the first place? OpenBSD gives you a daily email containing all changes to config files that have occurred.
Re:Wow (Score:5, Informative)
Re:Wow (Score:5, Informative)
rpm -V httpd ?
That won't work for this particular attack surface, because cPanel installs Apache itself and doesn't use a package manager. As far as rpm is concerned, Apache isn't installed to verify.
Re:Wow (Score:5, Insightful)
The solution to this is be a big boy and don't use cPanel.
Re:Wow (Score:4, Informative)
rpm -V httpd ?
Not that difficult to put in a cron job.
Cited FA [sucuri.net]:
In our previous posts, we recommended the utilization of tools like “rpm -Va” or “rpm -qf” or “dpkg -S” to see if the Apache modules were modified. However, those techniques won’t work against this backdoor. Since cPanel installs Apache inside /usr/local/apache and does not utilize the package managers, there is no single and simple command to detect if the Apache binary was modified.
Yeah, you'd be vulnerable if your apache installation is done using cpanel (as many hosting providers are).
Re:Wow (Score:5, Informative)
when was the last time you checked your httpd file?
If you're using tripwire or another similar tool and its properly configured, then you should be notified of file changes.
As long as you're paying attention, this doesn't seem like much of an issue.
Just of the top of my head... (Score:4, Informative)
rkhunter and chkrootkit as a quick example.
two tools which are more or less set and forget, and which also target workstation users.
(Done in background periodically, no interaction required, except running a small command after an update to avoid triggering false positive in one case)
Probably hundreds of sysadmin-oriented tools can do it too.
(checking files for modification is a very sane step to protect against corruption and possible compromise)
having the /usr mount read-only and only /var, /tmp & co read-write is a rather sane measure which is also wide spread (not only on big server farms, on the technical grounds that the /usr might be served over the network. but even some smart-phone do it, webOS for example)
On the other hand, a trojan targeting Linux is a proof that Linux server *are* a very valuable infection target, and lower markter share at the desktop isn't the only valid argument explaining the scarcity of Linux viruses.
Re: (Score:3)
when was the last time you checked your httpd file?
This morning, debsum and rkhunter didn't report anything that requires attention.
Re: (Score:2)
Mine is checked daily by debsums, along with all other binaries.