Have I got a rootkit?

[RikT]

Hi,

I have just deployed a new CentOS 6 server on my network. I'm new to CentOS but not to Linux. On my previous servers (debian) I have run tripwire. After some experimentation I have managed to get a twpol that works fairly well for a minimal CentOS 6 install. However, yesterday my tripwire reported this:


[code]===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Tripwire Data Files 100 0 0 0
Critical devices 100 0 0 0
* User binaries 66 0 0 103
Tripwire Binaries 100 0 0 0
* Libraries 66 0 0 60
* Operating System Utilities 100 0 0 2
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
(/sbin/rtmon)
Shell Related Programs 100 0 0 0
(/sbin/getkey)
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
Critical system boot files 100 0 0 0
Critical configuration files 100 0 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
Root config files 100 0 0 0

Total objects scanned: 21773
Total violations found: 165

===============================================================================
Object Detail:
===============================================================================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: User binaries (/usr/sbin)
Severity Level: 66
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 3
----------------------------------------

Modified object name: /usr/sbin/bonobo-activation-sysconf

Modified object name: /usr/sbin/mtr

Modified object name: /usr/sbin/packagekitd

-------------------------------------------------------------------------------
Rule Name: Libraries (/usr/lib)
Severity Level: 66
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 1
----------------------------------------

Modified object name: /usr/lib/anaconda-runtime/loader/loader

-------------------------------------------------------------------------------
Rule Name: User binaries (/usr/bin)
Severity Level: 66
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 99
----------------------------------------

Modified object name: /usr/bin/activation-client

Modified object name: /usr/bin/bc

Modified object name: /usr/bin/brasero

Modified object name: /usr/bin/cdda-player

Modified object name: /usr/bin/cheese

Modified object name: /usr/bin/csslint-0.6

Modified object name: /usr/bin/dig

Modified object name: /usr/bin/dwell-click-applet

Modified object name: /usr/bin/eog

Modified object name: /usr/bin/evince

Modified object name: /usr/bin/expr

Modified object name: /usr/bin/factor

Modified object name: /usr/bin/festival

Modified object name: /usr/bin/festival_client

Modified object name: /usr/bin/foomatic-perl-data

Modified object name: /usr/bin/gconftool-2

Modified object name: /usr/bin/gedit

Modified object name: /usr/bin/gnome-about-me

Modified object name: /usr/bin/gnome-appearance-properties

Modified object name: /usr/bin/gnome-audio-profiles-properties

Modified object name: /usr/bin/gnome-default-applications-properties

Modified object name: /usr/bin/gnome-keyboard-properties

Modified object name: /usr/bin/gnome-open

Modified object name: /usr/bin/gnome-panel

Modified object name: /usr/bin/gnome-system-monitor

Modified object name: /usr/bin/gnome-terminal

Modified object name: /usr/bin/gnome-volume-control

Modified object name: /usr/bin/gnome-volume-control-applet

Modified object name: /usr/bin/gnomevfs-cat

Modified object name: /usr/bin/gnomevfs-copy

Modified object name: /usr/bin/gnomevfs-df

Modified object name: /usr/bin/gnomevfs-info

Modified object name: /usr/bin/gnomevfs-ls

Modified object name: /usr/bin/gnomevfs-mkdir

Modified object name: /usr/bin/gnomevfs-monitor

Modified object name: /usr/bin/gnomevfs-mv

Modified object name: /usr/bin/gnomevfs-rm

Modified object name: /usr/bin/gpk-application

Modified object name: /usr/bin/gpk-install-catalog

Modified object name: /usr/bin/gpk-install-local-file

Modified object name: /usr/bin/gpk-install-mime-type

Modified object name: /usr/bin/gpk-install-package-name

Modified object name: /usr/bin/gpk-install-provide-file

Modified object name: /usr/bin/gpk-log

Modified object name: /usr/bin/gpk-prefs

Modified object name: /usr/bin/gpk-repo

Modified object name: /usr/bin/gpk-update-icon

Modified object name: /usr/bin/gpk-update-viewer

Modified object name: /usr/bin/gssdp-device-sniffer

Modified object name: /usr/bin/gst-inspect-0.10

Modified object name: /usr/bin/gst-launch-0.10

Modified object name: /usr/bin/gst-typefind-0.10

Modified object name: /usr/bin/gst-xmlinspect-0.10

Modified object name: /usr/bin/gst-xmllaunch-0.10

Modified object name: /usr/bin/gthumb

Modified object name: /usr/bin/host

Modified object name: /usr/bin/idevice_id

Modified object name: /usr/bin/idevicebackup

Modified object name: /usr/bin/ideviceinfo

Modified object name: /usr/bin/idevicesyslog

Modified object name: /usr/bin/info

Modified object name: /usr/bin/less

Modified object name: /usr/bin/lua

Modified object name: /usr/bin/nautilus

Modified object name: /usr/bin/nautilus-autorun-software

Modified object name: /usr/bin/nautilus-connect-server

Modified object name: /usr/bin/nautilus-file-management-properties

Modified object name: /usr/bin/nm-applet

Modified object name: /usr/bin/nm-connection-editor

Modified object name: /usr/bin/nslookup

Modified object name: /usr/bin/nsupdate

Modified object name: /usr/bin/pcregrep

Modified object name: /usr/bin/pcretest

Modified object name: /usr/bin/pidgin

Modified object name: /usr/bin/pinentry-curses

Modified object name: /usr/bin/pinentry-gtk-2

Modified object name: /usr/bin/pkcon

Modified object name: /usr/bin/pkgenpack

Modified object name: /usr/bin/pkmon

Modified object name: /usr/bin/plutil-1.2

Modified object name: /usr/bin/pointer-capture-applet

Modified object name: /usr/bin/qtconfig-qt4

Modified object name: /usr/bin/reporter-rhtsupport

Modified object name: /usr/bin/rsvg-convert

Modified object name: /usr/bin/rsvg-view

Modified object name: /usr/bin/seahorse

Modified object name: /usr/bin/seahorse-daemon

Modified object name: /usr/bin/totem

Modified object name: /usr/bin/totem-audio-preview

Modified object name: /usr/bin/totem-video-indexer

Modified object name: /usr/bin/totem-video-thumbnailer

Modified object name: /usr/bin/tsclient

Modified object name: /usr/bin/update-mime-database

Modified object name: /usr/bin/vim

Modified object name: /usr/bin/vinagre

Modified object name: /usr/bin/xmlcatalog

Modified object name: /usr/bin/xmllint

Modified object name: /usr/bin/xsltproc

Modified object name: /usr/bin/yelp

-------------------------------------------------------------------------------
Rule Name: Libraries (/usr/lib64)
Severity Level: 66
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 59
----------------------------------------

Modified object name: /usr/lib64/festival/etc/audsp

Modified object name: /usr/lib64/gthumb/libgthumb.so

Modified object name: /usr/lib64/libabrt_web.so.0.0.1

Modified object name: /usr/lib64/libarchive.so.2.8.3

Modified object name: /usr/lib64/libbind9.so.60.0.4

Modified object name: /usr/lib64/libbonoboui-2.so.0.0.0

Modified object name: /usr/lib64/libbrasero-burn.so.0.2.0

Modified object name: /usr/lib64/libbrasero-utils.so.0.2.0

Modified object name: /usr/lib64/libcamel-1.2.so.14.0.1

Modified object name: /usr/lib64/libcroco-0.6.so.3.0.1

Modified object name: /usr/lib64/libdns.so.69.1.4

Modified object name: /usr/lib64/libebackend-1.2.so.0.0.1

Modified object name: /usr/lib64/libebook-1.2.so.9.3.1

Modified object name: /usr/lib64/libecal-1.2.so.7.2.2

Modified object name: /usr/lib64/libedata-book-1.2.so.2.4.1

Modified object name: /usr/lib64/libedata-cal-1.2.so.6.0.2

Modified object name: /usr/lib64/libedataserver-1.2.so.11.0.1

Modified object name: /usr/lib64/libedataserverui-1.2.so.8.1.1

Modified object name: /usr/lib64/libestools.so.1.2.96.1

Modified object name: /usr/lib64/libexslt.so.0.8.15

Modified object name: /usr/lib64/libglade-2.0.so.0.0.7

Modified object name: /usr/lib64/libgnome-2.so.0.2800.0

Modified object name: /usr/lib64/libgnome-media-profiles.so.0.0.0

Modified object name: /usr/lib64/libgnomekbd.so.4.0.0

Modified object name: /usr/lib64/libgnomekbdui.so.4.0.0

Modified object name: /usr/lib64/libgnomeui-2.so.0.2400.1

Modified object name: /usr/lib64/libgnomevfs-2.so.0.2400.2

Modified object name: /usr/lib64/libgsf-1.so.114.0.15

Modified object name: /usr/lib64/libgssdp-1.0.so.2.0.0

Modified object name: /usr/lib64/libgstaudio-0.10.so.0.20.0

Modified object name: /usr/lib64/libgstbase-0.10.so.0.25.0

Modified object name: /usr/lib64/libgstfarsight-0.10.so.0.3.1

Modified object name: /usr/lib64/libgstinterfaces-0.10.so.0.20.0

Modified object name: /usr/lib64/libgstpbutils-0.10.so.0.20.0

Modified object name: /usr/lib64/libgstreamer-0.10.so.0.25.0

Modified object name: /usr/lib64/libgsttag-0.10.so.0.20.0

Modified object name: /usr/lib64/libgstvideo-0.10.so.0.20.0

Modified object name: /usr/lib64/libgtksourceview-2.0.so.0.0.0

Modified object name: /usr/lib64/libgweather.so.1.5.2

Modified object name: /usr/lib64/libimobiledevice.so.0.0.0

Modified object name: /usr/lib64/libisc.so.62.1.1

Modified object name: /usr/lib64/libisccc.so.60.0.0

Modified object name: /usr/lib64/libisccfg.so.62.0.0

Modified object name: /usr/lib64/liblwres.so.60.0.1

Modified object name: /usr/lib64/libpackagekit-glib.so.12.0.6

Modified object name: /usr/lib64/libpackagekit-glib2.so.12.0.6

Modified object name: /usr/lib64/libpanel-applet-2.so.0.2.68

Modified object name: /usr/lib64/libpcreposix.so.0.0.0

Modified object name: /usr/lib64/libplist.so.1.1.2

Modified object name: /usr/lib64/libpurple.so.0.7.9

Modified object name: /usr/lib64/librsvg-2.so.2.26.0

Modified object name: /usr/lib64/libsoup-2.4.so.1.3.0

Modified object name: /usr/lib64/libsoup-gnome-2.4.so.1.3.0

Modified object name: /usr/lib64/libtotem-plparser.so.12.4.5

Modified object name: /usr/lib64/libvte.so.9.2501.0

Modified object name: /usr/lib64/libxklavier.so.15.0.0

Modified object name: /usr/lib64/libxmlrpc.so.3.16

Modified object name: /usr/lib64/libxmlrpc_client.so.3.16

Modified object name: /usr/lib64/libxslt.so.1.1.26

-------------------------------------------------------------------------------
Rule Name: User binaries (/sbin)
Severity Level: 66
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 1
----------------------------------------

Modified object name: /sbin/multipathd

-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/grep)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 1
----------------------------------------

Modified object name: /bin/grep

-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/vi)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 1
----------------------------------------

Modified object name: /bin/vi

===============================================================================
Error Report:
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.[/code]

I hadn't performed an update recently and I can't think of anything I could have done to update these binaries. I have logged into this server from another server I run on the same network, which I don't think is rooted, but it has been up for several years. I have run chkrootkit and rkhunter which don't seem to have picked up anything, but I did not have these installed prior to the event that updated the binaries.

Any help or advice greatly received. I don't have physical access to the server for at least a week.

Thanks.

[pschaff]

Did your experimentation include installing the tripwire package from EPEL? I have not used it, but it rather appears whatever you are using is unaware of [url=https://www.google.com/search?q=rpm+prelink+site%3Aredhat.com&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=firefox-a]prelinking[/url]. I know that rkhunter must be correctly configured for RPM systems with prelink to avoid such errors.

[RikT]

Thank you very much Phil. The timestamps for changes on the tripwire log match exactly to when prelink was running as cron job. I have disabled it by editing /etc/sysconfig/prelink.

[pschaff]

That is not a good solution. Pre-linking is done for performance reasons and disabling it due to a false positive on an intrusion detection tool is counter-productive. Fix the tool instead. You never cited the source your are using.

[RikT]

Sorry. Yes - it's the EPEL package. I looked at several posts concerning prelinking and people were not reporting a noticable performance decline when switching it off.