Hello,
I've recently installed ossec HIDS on two CentOS 5.8 servers i administrate (basically the same machines, a LDAP master and a slave).
Having got a couple of strange messages from ossec like
[quote]Received From: serveurback->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s): Port '39001'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. [/quote]
I've tried to figure out what happened. On lots of forums they say that it's a false positive.
Also, neither rkhunter nor chkrootkit show anything.
But still, in doubt, i did this on my first server:
[code]
# mv /bin/netstat /bin/netstat.vir
# yum reinstall net-tools
# md5sum /bin/netstat
b9f0fcf5224942df569b1f8945fbfb59
# md5sum /bin/netstat.vir
770647df976181e5886348e50d94ca28
[/code]
On my second system i did the same and got
[code]
# md5sum /bin/netstat
b9f0fcf5224942df569b1f8945fbfb59
# md5sum /bin/netstat.vir
f2585009808c15008ab1dd601fcf2c9e
[/code]
I cannot sleep well anymore as i cannot be sure these servers weren't compromised.
Does anyone know where to get a "valid checksum" list of CentOS binaries ?
Thanks.
[SOLVED] Compromised CentOS 5.8 system
Re: Compromised CentOS 5.8 system
Well... i really cannot sleep well with this in mind.
I lookup up http://www.team-cymru.org/Services/MHR/ with the netstat.vir hashes, seems negative.
But i got worse things to worry about.
I made md5 hashes of every file in /sbin and /bin, and compared them between both servers.
It seems that many many checksums differ.
Any idea please ?
I lookup up http://www.team-cymru.org/Services/MHR/ with the netstat.vir hashes, seems negative.
But i got worse things to worry about.
I made md5 hashes of every file in /sbin and /bin, and compared them between both servers.
It seems that many many checksums differ.
Any idea please ?
[SOLVED] Compromised CentOS 5.8 system
md5sum is not a way to check the validity of the files. Please see [url=https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=31515&forum=42]this forum thread[/url] for details. "prelink" is the keyword.
Re: Compromised CentOS 5.8 system
My previous post did not read right. :-) prelinked files must be treated properly before md5sum can be used to check the validity of files.
Re: Compromised CentOS 5.8 system
Toracat beat me to it: try using `prelink -u /bin/netstat` first then md5sum it and it should come out right (hopefully!).
[SOLVED] Compromised CentOS 5.8 system comparing md5 / sha hashes / checksums
Big thanks for your answers :)
I'll be able to sleep better this night...
I read about prelink... Never heard of this before... Even with experience one can always learn something new :)
As for the prelink process, i ask myself how tools like ossec check valid file signatures... They have to create a temporary unprelinked copy of the system file to check integrity, right?
Also, is prelink really needed on a server ? I mean, once it runs, it might respan some servers like httpd, create some processes defined by cron...
I mean, prelink can be nice on a user computer, who always launches programs, but a server ?
Anyway, thank you another time...
I'll be able to sleep better this night...
I read about prelink... Never heard of this before... Even with experience one can always learn something new :)
As for the prelink process, i ask myself how tools like ossec check valid file signatures... They have to create a temporary unprelinked copy of the system file to check integrity, right?
Also, is prelink really needed on a server ? I mean, once it runs, it might respan some servers like httpd, create some processes defined by cron...
I mean, prelink can be nice on a user computer, who always launches programs, but a server ?
Anyway, thank you another time...
Re: [SOLVED] Compromised CentOS 5.8 system comparing md5 / sha hashes / checksums
Right, you don't really need prelink.
Glad that you can sleep well tonight. :-)
Glad that you can sleep well tonight. :-)