[SOLVED] Compromised CentOS 5.8 system

Support for security such as Firewalls and securing linux
Post Reply
deajan
Posts: 53
Joined: 2009/08/01 12:49:42
Location: South France
Contact:

[SOLVED] Compromised CentOS 5.8 system

Post by deajan » 2012/09/25 16:45:28

Hello,

I've recently installed ossec HIDS on two CentOS 5.8 servers i administrate (basically the same machines, a LDAP master and a slave).
Having got a couple of strange messages from ossec like

[quote]Received From: serveurback->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s): Port '39001'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. [/quote]

I've tried to figure out what happened. On lots of forums they say that it's a false positive.
Also, neither rkhunter nor chkrootkit show anything.

But still, in doubt, i did this on my first server:
[code]
# mv /bin/netstat /bin/netstat.vir
# yum reinstall net-tools
# md5sum /bin/netstat
b9f0fcf5224942df569b1f8945fbfb59
# md5sum /bin/netstat.vir
770647df976181e5886348e50d94ca28
[/code]

On my second system i did the same and got
[code]
# md5sum /bin/netstat
b9f0fcf5224942df569b1f8945fbfb59
# md5sum /bin/netstat.vir
f2585009808c15008ab1dd601fcf2c9e
[/code]

I cannot sleep well anymore as i cannot be sure these servers weren't compromised.
Does anyone know where to get a "valid checksum" list of CentOS binaries ?

Thanks.

deajan
Posts: 53
Joined: 2009/08/01 12:49:42
Location: South France
Contact:

Re: Compromised CentOS 5.8 system

Post by deajan » 2012/09/25 17:09:03

Well... i really cannot sleep well with this in mind.

I lookup up http://www.team-cymru.org/Services/MHR/ with the netstat.vir hashes, seems negative.
But i got worse things to worry about.

I made md5 hashes of every file in /sbin and /bin, and compared them between both servers.
It seems that many many checksums differ.

Any idea please ?

User avatar
toracat
Site Admin
Posts: 7518
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

[SOLVED] Compromised CentOS 5.8 system

Post by toracat » 2012/09/25 17:12:36

md5sum is not a way to check the validity of the files. Please see [url=https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=31515&forum=42]this forum thread[/url] for details. "prelink" is the keyword.

User avatar
toracat
Site Admin
Posts: 7518
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: Compromised CentOS 5.8 system

Post by toracat » 2012/09/25 17:18:16

My previous post did not read right. :-) prelinked files must be treated properly before md5sum can be used to check the validity of files.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Compromised CentOS 5.8 system

Post by TrevorH » 2012/09/25 18:14:21

Toracat beat me to it: try using `prelink -u /bin/netstat` first then md5sum it and it should come out right (hopefully!).

deajan
Posts: 53
Joined: 2009/08/01 12:49:42
Location: South France
Contact:

[SOLVED] Compromised CentOS 5.8 system comparing md5 / sha hashes / checksums

Post by deajan » 2012/09/25 20:39:51

Big thanks for your answers :)
I'll be able to sleep better this night...

I read about prelink... Never heard of this before... Even with experience one can always learn something new :)

As for the prelink process, i ask myself how tools like ossec check valid file signatures... They have to create a temporary unprelinked copy of the system file to check integrity, right?
Also, is prelink really needed on a server ? I mean, once it runs, it might respan some servers like httpd, create some processes defined by cron...
I mean, prelink can be nice on a user computer, who always launches programs, but a server ?

Anyway, thank you another time...

User avatar
toracat
Site Admin
Posts: 7518
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: [SOLVED] Compromised CentOS 5.8 system comparing md5 / sha hashes / checksums

Post by toracat » 2012/09/25 21:10:55

Right, you don't really need prelink.

Glad that you can sleep well tonight. :-)

Post Reply