Changes to suexec?

[Eric Pretorious]

The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis... We also recommend using... `rpm –verify` for RPM based systems, to verify the integrity of your Apache web server package installation.

While searching for the Linux/CDorked.A exploit, I discovered that the suexec binary has been modified:

[root@www httpd]# rpm -V httpd
S.5....T.  c /etc/httpd/conf/httpd.conf
S.5....T.    /usr/sbin/suexec

[root@www httpd]# for x in `rpm -ql httpd | grep sbin` ; do ls -al $x ; done
-rwxr-xr-x 1 root root 3916 Feb 22 11:19 /usr/sbin/apachectl
-rwxr-xr-x 1 root root 19984 Feb 22 11:21 /usr/sbin/htcacheclean
-rwxr-xr-x 1 root root 354816 Feb 22 11:21 /usr/sbin/httpd
-rwxr-xr-x 1 root root 368168 Feb 22 11:21 /usr/sbin/httpd.event
-rwxr-xr-x 1 root root 367240 Feb 22 11:21 /usr/sbin/httpd.worker
-rwxr-xr-x 1 root root 11192 Feb 22 11:21 /usr/sbin/httxt2dbm
-rwxr-xr-x 1 root root 16744 Feb 22 11:21 /usr/sbin/rotatelogs
-r-s--x--- 1 root apache 24128 May  3 04:00 /usr/sbin/suexec

Could this be the result of a PP microupdate or is this an exploit? I only ask because PP touches/modifies so many parts of the host system...

 

[Faris Raouf]

I'm 99.9% certain that of the latest MUs updates it.

It would be sensible to make a copy of it though.

 

[Eric Pretorious]

I'm 99.9% certain that of the latest MUs updates it.

Yeah, I kind'a figured when I found this:

[root@www rocket-powered.com]# strings /usr/sbin/suexec | grep -i sw
sw-cp-server

[root@www rocket-powered.com]# strings /usr/sbin/suexec | grep -i psa
psaserv
psaadm
_MIN_POSSIBLE_PSA_CONF_VAR_NAME
_MAX_POSSIBLE_PSA_CONF_VAR_NAME
_MIN_POSSIBLE_PSA_CONF_VAR_VALUE
_MAX_POSSIBLE_PSA_CONF_VAR_VALUE
/etc/psa/psa.conf
/usr/local/psa/bin/php-cli
/var/lib/psa/dumps
/usr/local/psa

It would be sensible to make a copy of it though.

That's a great idea, Faris!

Thanks.