Security

Root Compromised

Check the server if it is root compromised.

lsattr /usr/bin

Root compromised output. All of those files are set to immutable and append only. That’s what the “ia” you see is.

[root@mail ~]# lsattr /usr/bin
s---ia------- /usr/bin/bzcmp
s---ia------- /usr/bin/getkeycodes
s---ia------- /usr/bin/enc2xs
s---ia------- /usr/bin/mail-files
s---ia------- /usr/bin/chage
s---ia------- /usr/bin/mdeltree
s---ia------- /usr/bin/nslookup
s---ia------- /usr/bin/semodule_link
s---ia------- /usr/bin/mbchk
s---ia------- /usr/bin/rpcgen
s---ia------- /usr/bin/lkbib
s---ia------- /usr/bin/dig
s---ia------- /usr/bin/webazolver
s---ia------- /usr/bin/pstruct
s---ia------- /usr/bin/spfd
s---ia------- /usr/bin/linux64
s---ia------- /usr/bin/semodule_expand
s---ia------- /usr/bin/readlink
s---ia------- /usr/bin/as
s---ia------- /usr/bin/makedb
s---ia------- /usr/bin/seq
s---ia------- /usr/bin/id
s---ia------- /usr/bin/colcrt
s---ia------- /usr/bin/pod2man
s---ia------- /usr/bin/zipnote
s---ia------- /usr/bin/hcitool
s---ia------- /usr/bin/lftp
s---ia------- /usr/bin/run-with-aspell
s---ia------- /usr/bin/[
s---ia------- /usr/bin/perl
s---ia------- /usr/bin/mailstat
s---ia------- /usr/bin/ecryptfs-setup-swap
s---ia------- /usr/bin/lpstat.cups
s---ia------- /usr/bin/linux32
s---ia------- /usr/bin/ipcclean
s---ia------- /usr/bin/pkill
s---ia------- /usr/bin/mzip
s---ia------- /usr/bin/mcookie
s---ia------- /usr/bin/pm-restart
s---ia------- /usr/bin/rcp
s---ia------- /usr/bin/fgconsole

Non root compromised

[root@austin ~]# lsattr /usr/bin
-------------e- /usr/bin/pigz
-------------e- /usr/bin/isosize
-------------e- /usr/bin/php
-------------e- /usr/bin/system-config-firewall
-------------e- /usr/bin/ftpdctl
-------------e- /usr/bin/berkeley_db_svc
-------------e- /usr/bin/wftopfa
-------------e- /usr/bin/yum-builddep
-------------e- /usr/bin/tic
-------------e- /usr/bin/ptardiff

Other checks:

I would check the following:

Logs. If you have root access you should check things like history which will give you command history and log files in /var/logs.

Baseline. If you have a baseline like file hashes to work with for application and system files this will help a lot. You can also use backups to compare a previous state. If using a backup to compare files, use a slightly older one if you can. The site may have been compromised a while before and it is only now that the redirect has been activated.

Check any includes. The files may not be on your server. They may be script includes such as

Ads

Artblog by iThemer