whitewlf

Member
Jan 14, 2006
9
0
151
The other day I got a notice that saslauthd and a pair of other apps suddenly changed their mdd5 sums. Not only has nothing updated them, via yum or in logs, but the saslauthd binary is supposed to be from the basic CentOs 4.6 install rpms and they haven't been updated at all by the distro.

I renamed the saslauthd binary, removed the rpms for the other other binaries as they weren't needed on the system anyways (nfs-utils) and checked the new saslauth binary's md5, and it doesn't match. The rpm binary is the same date, but smaller in size.

I sent an email to the cyrus people asking if anyone there might be able to check the strings, etc for the questionable binary, but, they haven't responded. I tried myself, but I do not know what I am looking at, however, the simple command 'strings <binary>' yielded much different results between the binaries by 'diff' of their output.

This worries me a great deal, as saslauthd has access, I believe, to the cleartext portion side of user logins/passwords... Or at least that is my understanding. If that binary were trojaned, it could relay all login info to a third party, if my understanding of how it works is correct.

I wanted to have this looked at quietly, as it is either serious security concern, or, a big idiotic misunderstanding on my part. But, to err on the side of safety, I just gotta ask. We run a tight ship, all updates, suphp, suhosin, mod sec, csf firewall, small userbase, and so on, not to blather details.

Can -someone- please tell me if what I am seeing is a real issue here? Preferably, can someone with the skills look at this binary I'm holding and make sure its not a trojan.


"The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/usr/sbin/rpc.idmapd: FAILED
/usr/sbin/rpc.svcgssd: FAILED
/usr/sbin/saslauthd: FAILED"


md5sum /usr/sbin/saslauth*

2dc76996a6579e6a440e9fb5beca1c72 /usr/sbin/saslauthd
ad8e96168c244492e7d81c4a61ace249 /usr/sbin/saslauthd1-checkpass
9a326d86b0e0fc4237f3161ccdc2b0d4 /usr/sbin/saslauthd.xxxxx <---------Suspect File


ls -la /usr/sbin/saslauthd*
-rwxr-xr-x 1 root root 68148 Sep 4 2007 /usr/sbin/saslauthd*
-rwxr-xr-x 1 root root 8004 Sep 4 2007 /usr/sbin/saslauthd1-checkpass*
-rwxr-xr-x 1 root root 73088 Sep 4 2007 /usr/sbin/saslauthd.xxxxx* <------Suspect File
 

whitewlf

Member
Jan 14, 2006
9
0
151
Anyone? Beuller?

I take it no one here thinks this is an issue as I am getting an absolute zero response from here and the cyrus forums, like I'm posting in some alien language.