It's completely invisible, as long as you're blind.
The timestamp, permissions and owner are the same as the rest of the associated files (this infection isn't stupid). I'm sure you could use your x-ray vision to see that it's been replaced by a malicious copy. Please share your expertise with the rest of us.
rpm -V also checks the MD5 sum of the file - if it's been modified, it should flag a difference in checksums, even if every other bit of metadata is the same.
That said, it's quite easy to believe that lots of people aren't running "rpm -V httpd" regularly on their Linux servers, so all the people responding "DUH, NOOBZ" just sound like dicks. Next time, they should probably try showing off their deep knowledge of rpm by helpfully suggesting "rpm -V will find this, and you should be running this on all your systems regularly," rather than shitting up the comment thread with "I'm not vulnerable, anybody who is must be a fucking idiot."
Half right. It doesn't say "the checksum doesn't change" - it points out that cPanel doesn't use a packaging system to install apache - and so rpm -V won't detect changes made to files that weren't installed by rpm in the first place.
Tripwire (or other similar admin tools) can easily detect changes to the binary since a known-good baseline was taken, and report those out to you, as well.
I read and searched TFA (net-security.org and blog.sucuri.net), and the words "sum", "hash", and "checksum" do not occur on either page.
The closest it comes is saying that the timestamp is the same as the original, and that rpm -V won't work IF you use cPanel--because that's outside the package management system.
They suggest grepping for open_tty, though it would be possible to circumvent that with upx... in which case file would report a corrupted ELF file.
Wow (Score:5, Insightful)
"other than a modified 'httpd' file,"
It's completely invisible, as long as you're blind.
Re: (Score:0)
"other than a modified 'httpd' file,"
It's completely invisible, as long as you're blind.
The timestamp, permissions and owner are the same as the rest of the associated files (this infection isn't stupid). I'm sure you could use your x-ray vision to see that it's been replaced by a malicious copy. Please share your expertise with the rest of us.
Re:Wow (Score:3)
rpm -V also checks the MD5 sum of the file - if it's been modified, it should flag a difference in checksums, even if every other bit of metadata is the same.
That said, it's quite easy to believe that lots of people aren't running "rpm -V httpd" regularly on their Linux servers, so all the people responding "DUH, NOOBZ" just sound like dicks. Next time, they should probably try showing off their deep knowledge of rpm by helpfully suggesting "rpm -V will find this, and you should be running this on all your systems regularly," rather than shitting up the comment thread with "I'm not vulnerable, anybody who is must be a fucking idiot."
You are the noob (Score:2)
Re: (Score:2)
Half right. It doesn't say "the checksum doesn't change" - it points out that cPanel doesn't use a packaging system to install apache - and so rpm -V won't detect changes made to files that weren't installed by rpm in the first place.
Tripwire (or other similar admin tools) can easily detect changes to the binary since a known-good baseline was taken, and report those out to you, as well.
Re: (Score:1)
I read and searched TFA (net-security.org and blog.sucuri.net), and the words "sum", "hash", and "checksum" do not occur on either page.
The closest it comes is saying that the timestamp is the same as the original, and that rpm -V won't work IF you use cPanel--because that's outside the package management system.
They suggest grepping for open_tty, though it would be possible to circumvent that with upx...
in which case file would report a corrupted ELF file.