Hi,
Someone contacted me asking to investigate whether their unmanaged server is 'clean'.
I ran rkhunter, which reported the following warning:
These files were changed on the following dates/times:
The md5sums of these files are as follows:
The content of `/etc/ld.so.preload` is:
... with one space at the beginning.
These are a few reasons I suspect these files are not clean:
* These files are not shipped by any packages (`yum whatprovides *libhttpd.so*`, `yum whatprovides *libs.so*`).
* These files cannot be found in `/usr/local/directadmin/custombuild/` or contents of files in `/usr/local/directadmin/custombuild/`.
* I've never seen a shared library in `/usr/sbin`.
* I cannot find these files on servers that we manage.
* Both files can be found on the suspicious files list of cPanel Security Investigator. It was added due to this issue, where the creator says that `/lib64/libs.so` is a symlink to `/usr/lib64/libs.so`, but `/lib64/libs.so` is a regular file here.
* There is mention of `/lib64/libs.so` on https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor (but the hashes of the IOCs don't match) and https://truxgoservers.com/blog/facefish-a-new-threat-targeting-linux/
Also, the modification and change timestamps of the aforementioned files don't exactly match the dates on which software was updated. CustomBuild and/or yum was run on the following dates:
* 2018-05-08
* 2018-06-14
* 2019-05-08
* 2019-05-20
* 2019-06-14
* 2019-09-23
* 2019-10-03
* 2019-11-04
* 2021-06-24
* 2021-06-25
* 2022-02-16
* 2022-03-25
* 2022-05-13
The dates 2021-05-22 and 2020-01-07 are missing, which means that the content and/or properties of at least one of those files was changed on a day that CustomBuild and yum didn't run. This implies that the files are not placed/maintained by DirectAdmin or system packages.
Could anyone confirm that the aforementioned files should indeed not be present on a 'normal' DirectAdmin system? Or has anyone seen the same files and figured out whether they're legitimate?
Someone contacted me asking to investigate whether their unmanaged server is 'clean'.
I ran rkhunter, which reported the following warning:
[15:22:08] Checking for preloaded libraries [ Warning ]
[15:22:09] Warning: Found preloaded shared library: /lib64/libs.so
[15:22:09] Warning: Found preloaded shared library: /usr/sbin/libhttpd.so
These files were changed on the following dates/times:
/etc/ld.so.preload content: 2021-05-22
/etc/ld.so.preload properties: 2021-05-22
/usr/sbin/libhttpd.so content: 2018-05-08
/usr/sbin/libhttpd.so properties: 2021-05-22
/lib64/libs.so content: 2020-01-07
/lib64/libs.so properties: 2020-01-07
The md5sums of these files are as follows:
[root@hosting9 ~]# md5sum /etc/ld.so.preload /usr/sbin/libhttpd.so /lib64/libs.so
0b5ad0391b82d01d7ce2cdd1b4c32fbf /etc/ld.so.preload
26b86cf364bec796886e6a92ba34256d /usr/sbin/libhttpd.so
c8bd3af1c1fd1bf59736ef880470ec63 /lib64/libs.so
The content of `/etc/ld.so.preload` is:
/lib64/libs.so /usr/sbin/libhttpd.so
... with one space at the beginning.
These are a few reasons I suspect these files are not clean:
* These files are not shipped by any packages (`yum whatprovides *libhttpd.so*`, `yum whatprovides *libs.so*`).
* These files cannot be found in `/usr/local/directadmin/custombuild/` or contents of files in `/usr/local/directadmin/custombuild/`.
* I've never seen a shared library in `/usr/sbin`.
* I cannot find these files on servers that we manage.
* Both files can be found on the suspicious files list of cPanel Security Investigator. It was added due to this issue, where the creator says that `/lib64/libs.so` is a symlink to `/usr/lib64/libs.so`, but `/lib64/libs.so` is a regular file here.
* There is mention of `/lib64/libs.so` on https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor (but the hashes of the IOCs don't match) and https://truxgoservers.com/blog/facefish-a-new-threat-targeting-linux/
Also, the modification and change timestamps of the aforementioned files don't exactly match the dates on which software was updated. CustomBuild and/or yum was run on the following dates:
* 2018-05-08
* 2018-06-14
* 2019-05-08
* 2019-05-20
* 2019-06-14
* 2019-09-23
* 2019-10-03
* 2019-11-04
* 2021-06-24
* 2021-06-25
* 2022-02-16
* 2022-03-25
* 2022-05-13
The dates 2021-05-22 and 2020-01-07 are missing, which means that the content and/or properties of at least one of those files was changed on a day that CustomBuild and yum didn't run. This implies that the files are not placed/maintained by DirectAdmin or system packages.
Could anyone confirm that the aforementioned files should indeed not be present on a 'normal' DirectAdmin system? Or has anyone seen the same files and figured out whether they're legitimate?