Self-modifying coreutils

The server runs Centos 6.7 with WHM 54.0 (build 21) and CSF/LFD v8.16 which monitors various directories, including /bin and /usr/bin.

AT 4am yesterday, LFD notified me that /bin/ls and some other utils had changed. I knew this wasn't due to a cPanel update, as that runs at 4:30am, but I couldn't find out what had changed it, so I ran "yum reinstall coreutils". As expected, LFD then notified me that all the utils in that package had changed. However, at 4am this morning, it notified me that they had all been changed again. This time, before reinstalling them, I took a copy of /bin/ls, so I could compare it before and after, with this result:

Code:

root@server1 [~]# cp -p /bin/ls .
root@server1 [~]# yum reinstall coreutils
Loaded plugins: fastestmirror, security
Setting up Reinstall Process
Loading mirror speeds from cached hostfile
* epel: fedora-epel.mirror.lstn.net
* rpmforge: mirror.team-cymru.org
Resolving Dependencies
--> Running transaction check
---> Package coreutils.x86_64 0:8.4-37.el6_7.3 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================
Package               Arch               Version                    Repository           Size
===============================================================================================
Reinstalling:
coreutils             x86_64             8.4-37.el6_7.3             updates             3.0 M

Transaction Summary
===============================================================================================
Reinstall     1 Package(s)

Total download size: 3.0 M
Installed size: 12 M
Downloading Packages:
coreutils-8.4-37.el6_7.3.x86_64.rpm                                     | 3.0 MB     00:00    
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : coreutils-8.4-37.el6_7.3.x86_64                                             1/1
  Verifying  : coreutils-8.4-37.el6_7.3.x86_64                                             1/1

Installed:
  coreutils.x86_64 0:8.4-37.el6_7.3                                                           

Complete!
root@server1 [~]# ls -l /bin/ls ls
-rwxr-xr-x 1 root root 109208 Nov 10 09:43 /bin/ls*
-rwxr-xr-x 1 root root 117024 Nov 10 09:43 ls*

Does cPanel require its own modified versions of those utilities, or could the server be compromised?

 

Yes, /etc/cron.daily/prelink is run from /etc/anacrontab with these parameters:

RANDOM_DELAY=45
START_HOURS_RANGE=3-22
1 5 cron.daily nice run-parts /etc/cron.daily

The log file was created at 03:43, which would explain why LFD reported the file system changes at 04:00.

I think you've put my mind at rest, but I'd already reinstalled a few RPMs today, to check if their contents got modified again. Now that you've revealed the mechanism to me, I'll be able to check the log file in the morning to confirm that this is the case.

Thank you very much!

 

I've disabled prelinking, as documented in your post. I note that later you also suggest SELinux should be disabled. Do I have to be aware of any side-effects if I set SELINUX=disabled in /etc/sysconfig/selinux?

Thanks