strange executable

Portal Home > Knowledgebase > Articles Database > strange executable

Posted by tonytz, 11-17-2013, 07:16 PM
Recently, one of my servers is compromised through some security hole in a php script (note: the server is running suPHP). I cleaned up the server but did not reinstall it. However, there is this file on the server - /usr/bin/grscnfg which I couldn't find any reference on the internet. This file has the permission set to -rwsr-xr-x so basically any user can run it. Is this something to worry about or is this a normal file? The ctime stat on the file is around the time when the server is compromised. I uploaded this file on virustotal and it's clean... Any suggestions on what to do? Should I delete the file? Any advice would be greatly appreciated, thanks! Last edited by tonytz; 11-17-2013 at 07:20 PM.
Posted by wndml, 11-18-2013, 07:02 AM
Also check what it is, a binary or a script with And by the way, the only way to be sure is to wipe and reinstall the server. There are plenty of malware scripts and binaries that aren't flagged by virus or malware checkers, including rootkits. If you don't want to nuke the server I guess the "best" you can do is bring it to a rescue mode (as long as it doesn't boot from the server's own hdd) and do a thorough scan with various tools.
Posted by tonytz, 11-18-2013, 12:04 PM
Yum whatprovides show that there is no matches. Similarly, it doesn't belong to any package according to rpm, so I just gzipped it and moved it to another folder. Not sure if this is useful to do at this stage - I reviewed the output of rpm -Va and nothing suspicious came up. I really don't want to re-install the server but looks like it have to be done eventually. The attacker could potentially have gained root after the php script compromise, given that the server wasn't kept update with the patches. Regardless, thanks very much for the tips.
Posted by ketan, 11-18-2013, 08:01 PM
You could try running the strings program over it to see if there is any hard coded error messages, callbacks, HTTP endpoints. Just note this won't do much if the binary has any level of obfuscation or encryption.
Posted by Steven, 11-18-2013, 08:07 PM
Would you be willing to send it to me?
Posted by tonytz, 11-18-2013, 08:18 PM
Here is the entire string output, though not sure what to make of it [root@server src]# strings grscnfg /lib64/ld-linux-x86-64.so.2 fff. fffff. l$ L t$(L |$0H yjN: 0zjN: __gmon_start__ libc.so.6 setuid system setgid __libc_start_main GLIBC_2.2.5 /lib64/ld-linux-x86-64.so.2
Posted by tonytz, 11-18-2013, 08:20 PM
sure, please let me know where you prefer the gzip of the file to be sent. thanks
Posted by Steven, 11-18-2013, 08:23 PM
steve@rack911.com From your strings output it looks like a SUID shell which would mean you were root compromised. Send it to me and I will confirm.
Posted by ketan, 11-18-2013, 08:42 PM
Steven beat me to it, but those 3 system calls there would indicate it is a shell that runs as root. It's probably something as simple as If there is one, there could be more. Would definitely look into reinstalling from scratch.
Posted by Steven, 11-18-2013, 08:47 PM
For onlookers to this thread this is definitely a malicious file. As you can see I am logged in as user steven: I can escalate to root. Typical SUID shell. It starts off as user: Escalates to root (our patch wont catch the UID change in current form through a suid file, only group but this gives you the idea.): Runs the argument as root. Definitely rooted. I would see if your openssh packages are compromised aswell. Last edited by Steven; 11-18-2013 at 08:52 PM.
Posted by Steven, 11-18-2013, 08:48 PM
That is exactly the code most likely, its really common.
Posted by tonytz, 11-18-2013, 08:54 PM
Ok, this is bad...looks like a long work day ahead of me. Thanks for explaining this!
Posted by tonytz, 11-18-2013, 08:56 PM
Steve, thank you very much for looking into this. This pretty much confirms the worst that could possibly happen to my server. What do you propose the best course of action is now? Please see my email also.
Posted by Steven, 11-18-2013, 08:59 PM
Os reinstall Secure the server Restore clean backups (if you have them). There is also the possibility of these being inside accounts, so don't blindly rsync stuff over.
Posted by tonytz, 11-18-2013, 09:19 PM
Will do. Just ordered a new server and will set it up today. Thank you all to everyone who responded to this thread!
Posted by wndml, 11-18-2013, 09:34 PM
How? Kernel vuln?
Posted by Steven, 11-18-2013, 09:53 PM
The binary has suid bit set. They got hacked some other way and this is a backdoor.
Posted by tonytz, 11-18-2013, 10:19 PM
Just checked (the package for /usr/libexec/openssh): rpm -V openssh-5.3p1-20.el6.x86_64 The command returned no output. Based on this, is it safe to assume that openssh packages are not compromised?
Posted by ketan, 11-18-2013, 10:47 PM
RPM only produces output if there is a verification failure, so I would hazard a guess that your SSHd hasn't been compromised. Better to be safe then sorry though.
Posted by tonytz, 11-18-2013, 10:57 PM
ya, just to be on the safe side, I am preparing/setting up a new server right now but not disconnecting the old one yet until the new one is ready for a smooth transfer - hopefully by the end of next morning
Posted by Steven, 11-18-2013, 11:07 PM
That is a really old rpm package.