Page 1 of 2

Files with strange appended sybols in /bin directory

Posted: 2019/10/08 21:05:03
by U-da
Hi everyone!

Maybe someone could tell, what does it mean and why did these files exist?

Code: Select all

---------- 1 root root 38K Jan  8  2017 /bin/ping;5cff1d43
---------- 1 root root 38K Jan  8  2017 /bin/ping;5cff2bca
---------- 1 root root 38K Jan  8  2017 /bin/ping;5cff30b0
---------- 1 root root 38K Jan  8  2017 /bin/ping;5cff35ed
There are a lot of them with different date. Currently they are chrooted, but in the past they had permissions 4755/-rwsr-xr-x.
I've faced with this second time, such files were detected on different servers (Cnetos 6 and 7) and still have no clue from where such files came from.

RKhunter output is clear, no suspicious activity detected.

Re: Files with strange appended sybols in /bin directory

Posted: 2019/10/08 23:38:27
by TrevorH
Most likely something has made /bin/ping immutable and then each time you try to yum update that includes the iputils package will not only fail to install properly, it will also create one of those randomly named files at the same time. If it worked properly, it would have removed the immutable file and renamed that one to it as part of the update process. Check with lsattr.

Re: Files with strange appended sybols in /bin directory

Posted: 2019/10/16 13:59:14
by U-da
Hi!
Thanks for reply!
Yes, there was immutable flag on it. All files were removed and package reinstalled. Unfortunately, issue wasn't solved. New files had appeared ater the flag was removed and the package reinstalled. The case is no one from the team put that flags back on it.
Have any idea, how exactly may that flags appear and how to fix that issue?

Re: Files with strange appended sybols in /bin directory

Posted: 2019/10/16 14:54:33
by TrevorH
So lsattr /bin/ping no longer reports it as immutable?

Re: Files with strange appended sybols in /bin directory

Posted: 2019/10/17 06:41:26
by U-da
Yep. We have removed that flag. Though after reinstalling package we still faced with the issue.

Besides, have you any idea why that situation may occur? We know for sure that anyone hadn't manually set that immutable flag on binaries. So, it has to be some internal mechanism of protection.

JFI: SELinux was disabled at the very start of server.

Re: Files with strange appended sybols in /bin directory

Posted: 2019/10/17 16:59:59
by TrevorH
Nothing sets the immutable bit except a sysadmin with root privileges.

Re: Files with strange appended sybols in /bin directory

Posted: 2019/10/18 07:12:12
by U-da
That is strange. Maybe we should check it for unauthorized access once more.

Ok, thank you very much for help! At least this situation becomes more clear for us.

Re: Files with strange appended sybols in /bin directory

Posted: 2019/10/19 02:13:35
by Whoever
U-da wrote:
2019/10/18 07:12:12
That is strange. Maybe we should check it for unauthorized access once more.

Ok, thank you very much for help! At least this situation becomes more clear for us.

I think you need to start by investigating the /bin/ping executable. It is unchanged?

Re: Files with strange appended sybols in /bin directory

Posted: 2019/10/19 06:03:28
by U-da
You men does it came from official repository? Yes, we have check it.

The other thing is stat info for such files (currently haven't ping example, but here is binary with the same problem):

Code: Select all

# stat /usr/bin/newgrp
  File: `/usr/bin/newgrp'
  Size: 40240           Blocks: 80         IO Block: 4096   regular file
Device: 902h/2306d      Inode: 182191684   Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2019-10-16 03:43:19.201576074 +0200
Modify: 2016-05-10 23:23:37.000000000 +0200
Change: 2017-03-21 17:39:15.659318577 +0100

Code: Select all

# stat '/usr/bin/newgrp;5d9e38f8'
  File: `/usr/bin/newgrp;5d9e38f8'
  Size: 36144     	Blocks: 72         IO Block: 4096   regular file
Device: 902h/2306d	Inode: 23596324    Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2011-12-10 22:47:48.000000000 +0100
Modify: 2011-12-10 22:47:48.000000000 +0100
Change: 2019-10-09 21:46:00.251258028 +0200
We were trying to reinstall shadow-utils-4.1.5.1-5.el6.x86_64 after we had removed immutable flag, but it looks like youm are still can't rewrite original binary.

Re: Files with strange appended sybols in /bin directory

Posted: 2019/10/19 18:23:15
by Whoever
At this point you have probably expended more effort that you would have done with a complete backup and reinstall of CentOS.