The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

saslauthd checksum failed

Discussion in 'General Discussion' started by whitewlf, Mar 19, 2008.

  1. whitewlf

    whitewlf Member

    Joined:
    Jan 14, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    The other day I got a notice that saslauthd and a pair of other apps suddenly changed their mdd5 sums. Not only has nothing updated them, via yum or in logs, but the saslauthd binary is supposed to be from the basic CentOs 4.6 install rpms and they haven't been updated at all by the distro.

    I renamed the saslauthd binary, removed the rpms for the other other binaries as they weren't needed on the system anyways (nfs-utils) and checked the new saslauth binary's md5, and it doesn't match. The rpm binary is the same date, but smaller in size.

    I sent an email to the cyrus people asking if anyone there might be able to check the strings, etc for the questionable binary, but, they haven't responded. I tried myself, but I do not know what I am looking at, however, the simple command 'strings <binary>' yielded much different results between the binaries by 'diff' of their output.

    This worries me a great deal, as saslauthd has access, I believe, to the cleartext portion side of user logins/passwords... Or at least that is my understanding. If that binary were trojaned, it could relay all login info to a third party, if my understanding of how it works is correct.

    I wanted to have this looked at quietly, as it is either serious security concern, or, a big idiotic misunderstanding on my part. But, to err on the side of safety, I just gotta ask. We run a tight ship, all updates, suphp, suhosin, mod sec, csf firewall, small userbase, and so on, not to blather details.

    Can -someone- please tell me if what I am seeing is a real issue here? Preferably, can someone with the skills look at this binary I'm holding and make sure its not a trojan.


    "The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

    /usr/sbin/rpc.idmapd: FAILED
    /usr/sbin/rpc.svcgssd: FAILED
    /usr/sbin/saslauthd: FAILED"


    md5sum /usr/sbin/saslauth*

    2dc76996a6579e6a440e9fb5beca1c72 /usr/sbin/saslauthd
    ad8e96168c244492e7d81c4a61ace249 /usr/sbin/saslauthd1-checkpass
    9a326d86b0e0fc4237f3161ccdc2b0d4 /usr/sbin/saslauthd.xxxxx <---------Suspect File


    ls -la /usr/sbin/saslauthd*
    -rwxr-xr-x 1 root root 68148 Sep 4 2007 /usr/sbin/saslauthd*
    -rwxr-xr-x 1 root root 8004 Sep 4 2007 /usr/sbin/saslauthd1-checkpass*
    -rwxr-xr-x 1 root root 73088 Sep 4 2007 /usr/sbin/saslauthd.xxxxx* <------Suspect File
     
  2. whitewlf

    whitewlf Member

    Joined:
    Jan 14, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Anyone? Beuller?

    I take it no one here thinks this is an issue as I am getting an absolute zero response from here and the cyrus forums, like I'm posting in some alien language.
     

Share This Page