Files with strange appended sybols in /bin directory

General support questions
U-da
Posts: 6
Joined: 2019/10/08 20:48:23

Files with strange appended sybols in /bin directory

Post by U-da » 2019/10/08 21:05:03

Hi everyone!

Maybe someone could tell, what does it mean and why did these files exist?

Code: Select all

---------- 1 root root 38K Jan  8  2017 /bin/ping;5cff1d43
---------- 1 root root 38K Jan  8  2017 /bin/ping;5cff2bca
---------- 1 root root 38K Jan  8  2017 /bin/ping;5cff30b0
---------- 1 root root 38K Jan  8  2017 /bin/ping;5cff35ed
There are a lot of them with different date. Currently they are chrooted, but in the past they had permissions 4755/-rwsr-xr-x.
I've faced with this second time, such files were detected on different servers (Cnetos 6 and 7) and still have no clue from where such files came from.

RKhunter output is clear, no suspicious activity detected.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Files with strange appended sybols in /bin directory

Post by TrevorH » 2019/10/08 23:38:27

Most likely something has made /bin/ping immutable and then each time you try to yum update that includes the iputils package will not only fail to install properly, it will also create one of those randomly named files at the same time. If it worked properly, it would have removed the immutable file and renamed that one to it as part of the update process. Check with lsattr.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

U-da
Posts: 6
Joined: 2019/10/08 20:48:23

Re: Files with strange appended sybols in /bin directory

Post by U-da » 2019/10/16 13:59:14

Hi!
Thanks for reply!
Yes, there was immutable flag on it. All files were removed and package reinstalled. Unfortunately, issue wasn't solved. New files had appeared ater the flag was removed and the package reinstalled. The case is no one from the team put that flags back on it.
Have any idea, how exactly may that flags appear and how to fix that issue?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Files with strange appended sybols in /bin directory

Post by TrevorH » 2019/10/16 14:54:33

So lsattr /bin/ping no longer reports it as immutable?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

U-da
Posts: 6
Joined: 2019/10/08 20:48:23

Re: Files with strange appended sybols in /bin directory

Post by U-da » 2019/10/17 06:41:26

Yep. We have removed that flag. Though after reinstalling package we still faced with the issue.

Besides, have you any idea why that situation may occur? We know for sure that anyone hadn't manually set that immutable flag on binaries. So, it has to be some internal mechanism of protection.

JFI: SELinux was disabled at the very start of server.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Files with strange appended sybols in /bin directory

Post by TrevorH » 2019/10/17 16:59:59

Nothing sets the immutable bit except a sysadmin with root privileges.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

U-da
Posts: 6
Joined: 2019/10/08 20:48:23

Re: Files with strange appended sybols in /bin directory

Post by U-da » 2019/10/18 07:12:12

That is strange. Maybe we should check it for unauthorized access once more.

Ok, thank you very much for help! At least this situation becomes more clear for us.

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: Files with strange appended sybols in /bin directory

Post by Whoever » 2019/10/19 02:13:35

U-da wrote:
2019/10/18 07:12:12
That is strange. Maybe we should check it for unauthorized access once more.

Ok, thank you very much for help! At least this situation becomes more clear for us.

I think you need to start by investigating the /bin/ping executable. It is unchanged?

U-da
Posts: 6
Joined: 2019/10/08 20:48:23

Re: Files with strange appended sybols in /bin directory

Post by U-da » 2019/10/19 06:03:28

You men does it came from official repository? Yes, we have check it.

The other thing is stat info for such files (currently haven't ping example, but here is binary with the same problem):

Code: Select all

# stat /usr/bin/newgrp
  File: `/usr/bin/newgrp'
  Size: 40240           Blocks: 80         IO Block: 4096   regular file
Device: 902h/2306d      Inode: 182191684   Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2019-10-16 03:43:19.201576074 +0200
Modify: 2016-05-10 23:23:37.000000000 +0200
Change: 2017-03-21 17:39:15.659318577 +0100

Code: Select all

# stat '/usr/bin/newgrp;5d9e38f8'
  File: `/usr/bin/newgrp;5d9e38f8'
  Size: 36144     	Blocks: 72         IO Block: 4096   regular file
Device: 902h/2306d	Inode: 23596324    Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2011-12-10 22:47:48.000000000 +0100
Modify: 2011-12-10 22:47:48.000000000 +0100
Change: 2019-10-09 21:46:00.251258028 +0200
We were trying to reinstall shadow-utils-4.1.5.1-5.el6.x86_64 after we had removed immutable flag, but it looks like youm are still can't rewrite original binary.

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: Files with strange appended sybols in /bin directory

Post by Whoever » 2019/10/19 18:23:15

At this point you have probably expended more effort that you would have done with a complete backup and reinstall of CentOS.

Post Reply