Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

unexpected /bin/su permission changed

Discussion in 'Security' started by leonep, Jul 13, 2018.

  1. leonep

    leonep Well-Known Member

    Joined:
    Nov 18, 2014
    Messages:
    89
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Pescara
    cPanel Access Level:
    Root Administrator
    Hi,
    Today i have warning message from RkHunter:

    Warning: The file properties have changed:
    File: /bin/su
    Current permissions: 4750 Stored permissions: 4755
    Current gid: 10 Stored gid: 0

    The last update about coreutils was on 3 July:

    root@host1 [/bin]# grep coreutils /var/log/yum.log
    Jul 03 22:02:07 Updated: coreutils-libs-8.4-47.el6.x86_64
    Jul 03 22:02:09 Updated: coreutils-8.4-47.el6.x86_64

    root@host1 [/]# ls -l /bin/su
    -rwsr-x--- 1 root wheel 34904 Jun 19 17:15 /bin/su*

    I would like to understand if this change can be safe or need investigation........
    thanks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @leonep


    While I don't know what caused rkhunter to see the change - those are the correct permissions for /bin/su I double checked on two separate test servers:

    Code:
    [root@server ~]# stat /bin/su
      File: ‘/bin/su’
      Size: 32184         Blocks: 64         IO Block: 4096   regular file
    Device: fd01h/64769d    Inode: 925656      Links: 1
    Access: (4750/-rwsr-x---)  Uid: (    0/    root)   Gid: (   10/   wheel)
    Access: 2018-07-12 13:21:55.220225691 +0000
    Modify: 2018-04-11 06:50:28.000000000 +0000
    Change: 2018-07-12 05:18:25.358119535 +0000
     Birth: -
    Code:
    [root@v70 ~]# stat /bin/su
      File: ‘/bin/su’
      Size: 32184         Blocks: 64         IO Block: 4096   regular file
    Device: fd01h/64769d    Inode: 86162       Links: 1
    Access: (4750/-rwsr-x---)  Uid: (    0/    root)   Gid: (   10/   wheel)
    Access: 2018-04-11 01:50:28.000000000 -0500
    Modify: 2018-04-11 01:50:28.000000000 -0500
    Change: 2018-07-04 14:48:51.489026149 -0500
     Birth: -
    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. leonep

    leonep Well-Known Member

    Joined:
    Nov 18, 2014
    Messages:
    89
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Pescara
    cPanel Access Level:
    Root Administrator
    thanks lauren, this is the stat of my file:

    Code:
    root@host1 [~]# stat /bin/su
      File: `/bin/su'
      Size: 34904           Blocks: 72         IO Block: 4096   regular file
    Device: 902h/2306d      Inode: 587602      Links: 1
    Access: (4750/-rwsr-x---)  Uid: (    0/    root)   Gid: (   10/   wheel)
    Access: 2018-07-12 22:07:44.000000000 +0200
    Modify: 2018-06-19 17:15:49.000000000 +0200
    Change: 2018-07-12 22:02:15.000000000 +0200
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @leonep

    Perms/ownership looks fine - this is what it should be. What time did rkhunter run? Whatever change was made happened last night at 10

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. leonep

    leonep Well-Known Member

    Joined:
    Nov 18, 2014
    Messages:
    89
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Pescara
    cPanel Access Level:
    Root Administrator
    this is rkhunter.log , it found something around 4 in the morning...

    Code:
    [03:58:52] Info: Start date is Fri Jul 13 03:58:52 CEST 2018
    ......
    ......
    [03:59:05]   /bin/su                                         [ Warning ]
    [03:59:05] Warning: The file properties have changed:
    [03:59:05]          File: /bin/su
    [03:59:05]          Current permissions: 4750    Stored permissions: 4755
    [03:59:05]          Current gid: 10    Stored gid: 0
    .......
    .......
    [04:00:20] Info: End date is Fri Jul 13 04:00:20 CEST 2018
    
    stored permission was wrong , maybe upcp or system restored correct permission ... !?!
    Is the file content unchanged ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    It wouldn't be unlikely for upcp to have restored the permission of this and the size of yours is different than that of both my test servers. You can't check the contents directly. If there was some sort of compromise I would anticipate rkhunter finding more than just the perms/ownership on that file being modified from 755 ->750 and GID being changed from 0 (root) to the wheel group.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. leonep

    leonep Well-Known Member

    Joined:
    Nov 18, 2014
    Messages:
    89
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Pescara
    cPanel Access Level:
    Root Administrator
    i agree
    it seems a fix.. i will monitor the server
    thanks Lauren
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @leonep

    Good plan, you're most welcome!

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice