The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Self-modifying coreutils

Discussion in 'General Discussion' started by Flyer, Mar 25, 2016.

  1. Flyer

    Flyer Member

    Joined:
    Jun 15, 2007
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    The server runs Centos 6.7 with WHM 54.0 (build 21) and CSF/LFD v8.16 which monitors various directories, including /bin and /usr/bin.

    AT 4am yesterday, LFD notified me that /bin/ls and some other utils had changed. I knew this wasn't due to a cPanel update, as that runs at 4:30am, but I couldn't find out what had changed it, so I ran "yum reinstall coreutils". As expected, LFD then notified me that all the utils in that package had changed. However, at 4am this morning, it notified me that they had all been changed again. This time, before reinstalling them, I took a copy of /bin/ls, so I could compare it before and after, with this result:

    Code:
    root@server1 [~]# cp -p /bin/ls .
    root@server1 [~]# yum reinstall coreutils
    Loaded plugins: fastestmirror, security
    Setting up Reinstall Process
    Loading mirror speeds from cached hostfile
    * epel: fedora-epel.mirror.lstn.net
    * rpmforge: mirror.team-cymru.org
    Resolving Dependencies
    --> Running transaction check
    ---> Package coreutils.x86_64 0:8.4-37.el6_7.3 will be reinstalled
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ===============================================================================================
    Package               Arch               Version                    Repository           Size
    ===============================================================================================
    Reinstalling:
    coreutils             x86_64             8.4-37.el6_7.3             updates             3.0 M
    
    Transaction Summary
    ===============================================================================================
    Reinstall     1 Package(s)
    
    Total download size: 3.0 M
    Installed size: 12 M
    Downloading Packages:
    coreutils-8.4-37.el6_7.3.x86_64.rpm                                     | 3.0 MB     00:00    
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Installing : coreutils-8.4-37.el6_7.3.x86_64                                             1/1
      Verifying  : coreutils-8.4-37.el6_7.3.x86_64                                             1/1
    
    Installed:
      coreutils.x86_64 0:8.4-37.el6_7.3                                                           
    
    Complete!
    root@server1 [~]# ls -l /bin/ls ls
    -rwxr-xr-x 1 root root 109208 Nov 10 09:43 /bin/ls*
    -rwxr-xr-x 1 root root 117024 Nov 10 09:43 ls*
    
    Does cPanel require its own modified versions of those utilities, or could the server be compromised?
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Check /var/log/yum to verify if the package was installed or upgraded before you did so yourself. cPanel does not modify these binaries, so this isn't really looking very good from a security perspective.
     
  3. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    See if any prelinking has been done. Do you have a /var/log/prelink/prelink.log file? Do you have a /etc/cron.daily/prelink file?
     
  4. Flyer

    Flyer Member

    Joined:
    Jun 15, 2007
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Yes, /etc/cron.daily/prelink is run from /etc/anacrontab with these parameters:

    RANDOM_DELAY=45
    START_HOURS_RANGE=3-22
    1 5 cron.daily nice run-parts /etc/cron.daily

    The log file was created at 03:43, which would explain why LFD reported the file system changes at 04:00.

    I think you've put my mind at rest, but I'd already reinstalled a few RPMs today, to check if their contents got modified again. Now that you've revealed the mechanism to me, I'll be able to check the log file in the morning to confirm that this is the case.

    Thank you very much!
     
  5. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Please see my post here regarding disabling Prelinking.
     
  6. Flyer

    Flyer Member

    Joined:
    Jun 15, 2007
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    I've disabled prelinking, as documented in your post. I note that later you also suggest SELinux should be disabled. Do I have to be aware of any side-effects if I set SELINUX=disabled in /etc/sysconfig/selinux?

    Thanks
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page