Shared libraries present on system, unsure who placed them

wedwards

New member
Joined
May 13, 2022
Messages
2
Hi,

Someone contacted me asking to investigate whether their unmanaged server is 'clean'.

I ran rkhunter, which reported the following warning:

[15:22:08] Checking for preloaded libraries [ Warning ] [15:22:09] Warning: Found preloaded shared library: /lib64/libs.so [15:22:09] Warning: Found preloaded shared library: /usr/sbin/libhttpd.so

These files were changed on the following dates/times:

/etc/ld.so.preload content: 2021-05-22 /etc/ld.so.preload properties: 2021-05-22 /usr/sbin/libhttpd.so content: 2018-05-08 /usr/sbin/libhttpd.so properties: 2021-05-22 /lib64/libs.so content: 2020-01-07 /lib64/libs.so properties: 2020-01-07

The md5sums of these files are as follows:

[[email protected] ~]# md5sum /etc/ld.so.preload /usr/sbin/libhttpd.so /lib64/libs.so 0b5ad0391b82d01d7ce2cdd1b4c32fbf /etc/ld.so.preload 26b86cf364bec796886e6a92ba34256d /usr/sbin/libhttpd.so c8bd3af1c1fd1bf59736ef880470ec63 /lib64/libs.so

The content of `/etc/ld.so.preload` is:

/lib64/libs.so /usr/sbin/libhttpd.so

... with one space at the beginning.

These are a few reasons I suspect these files are not clean:

* These files are not shipped by any packages (`yum whatprovides *libhttpd.so*`, `yum whatprovides *libs.so*`).
* These files cannot be found in `/usr/local/directadmin/custombuild/` or contents of files in `/usr/local/directadmin/custombuild/`.
* I've never seen a shared library in `/usr/sbin`.
* I cannot find these files on servers that we manage.
* Both files can be found on the suspicious files list of cPanel Security Investigator. It was added due to this issue, where the creator says that `/lib64/libs.so` is a symlink to `/usr/lib64/libs.so`, but `/lib64/libs.so` is a regular file here.
* There is mention of `/lib64/libs.so` on https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor (but the hashes of the IOCs don't match) and https://truxgoservers.com/blog/facefish-a-new-threat-targeting-linux/

Also, the modification and change timestamps of the aforementioned files don't exactly match the dates on which software was updated. CustomBuild and/or yum was run on the following dates:

* 2018-05-08
* 2018-06-14
* 2019-05-08
* 2019-05-20
* 2019-06-14
* 2019-09-23
* 2019-10-03
* 2019-11-04
* 2021-06-24
* 2021-06-25
* 2022-02-16
* 2022-03-25
* 2022-05-13

The dates 2021-05-22 and 2020-01-07 are missing, which means that the content and/or properties of at least one of those files was changed on a day that CustomBuild and yum didn't run. This implies that the files are not placed/maintained by DirectAdmin or system packages.

Could anyone confirm that the aforementioned files should indeed not be present on a 'normal' DirectAdmin system? Or has anyone seen the same files and figured out whether they're legitimate?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
8,554
Location
Maastricht
I don't have any openlightspeed or nGinx on my system. But having .so files in the /etc directory is imho suspicious anyway.
/etc/ld.so.preload content: 2021-05-22 /etc/ld.so.preload properties: 2021-05-22
So we have nothing of the kind neither any other .so file in the /etc directory like this.

I checked both a Centos 7 and an Almalinux 8.5 server and could not find these files anywhere on the whole server either:
libs.so
libhttpd.so

But again, I don't have things like nGinx or Openlitespeed but just default DA installation with Apache 2.4.
Also I don't know how old that server is and if it's not running Apache 1.3 because I found something about 1.3 and libhttpd.so here:
 

wedwards

New member
Joined
May 13, 2022
Messages
2
Hi Richard,

I don't have any openlightspeed or nGinx on my system. But having .so files in the /etc directory is imho suspicious anyway.
/etc/ld.so.preload content: 2021-05-22 /etc/ld.so.preload properties: 2021-05-22
So we have nothing of the kind neither any other .so file in the /etc directory like this.

There are no shared libraries in /etc. Just /etc/ld.so.preload.

But again, I don't have things like nGinx or Openlitespeed but just default DA installation with Apache 2.4.
Also I don't know how old that server is and if it's not running Apache 1.3 because I found something about 1.3 and libhttpd.so here:

True. As far as I can see, this server was first installed with Apache 2.4.33. It has never run Apache 1.x.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
8,554
Location
Maastricht
There are no shared libraries in /etc. Just /etc/ld.so.preload.
Well I don't know about that directory. On my Centos 7 and Almal 8 servers I only have ld.so.conf.d directory and ld.so.conf file and ld.so.cache file in the /etc directory.

Still the other files are not present here as stated. Maybe somebody else knows if they can be coming from something installed via DA.
 

toml

Verified User
Joined
Oct 3, 2003
Messages
1,249
Location
Scottsdale, AZ
libhttpd.so is a shared library that provides HTTP functionality to a program. There are benign uses for it, but it could also easily be used for hacking purposes. If you have lsof on your server issue the command as root:
lsof |grep libhttpd
and see what running processes are using it. Hopefully the fact that it is preloaded won't obfuscate which processes are attached to the shared library. If you do see the process, make sure it is something that you intentionally installed.
 
Top