[Asterisk-Users] Does Asterisk overwrite any libraries?

PJ Welsh pj at cassens.com
Thu Dec 4 06:27:25 MST 2003


On Wed, Dec 03, 2003 at 10:42:40PM -0500, TeleSIP wrote:
> A good rootkit will also modify the date and time of the replaced binaries
> so they will look the same as the original.
> 
> Try to replace your "ps" command with that from a trusted RH9 machine.  If
> it works ok then you must do a clean install to get rid of the rootkit.

Using the RPM database for package verification is a good way to check, also (better than date/time stamp). So:

rpm -V procps 

procps is the package for ps and some other commands, "V" = verify the whole package. This should NOT return ANY error or information. So, if you get something like "S.5....T c /bin/ps" or ANYTHING else for THIS package youv'e got a problem.

This doesn't 100% work on all rpm pkgs. You often modify config files and they show up like this:

rpm -V ypbind
S.5....T c /etc/yp.conf

This means that you need to use some judgement. Generally, if you have a binary, it should not change. Configs will or can change.

You could also look to do:

rpm -qf `which ps` # this should return a like that says procps-{version}. If the output of this rpm command shows, "file nohup.out is not owned by any package" you are running (based on your $PATH variable) the wrong ps command. This only works for rpm installed pkgs, not your normal tar installs. This is just one of the pluses for a pkg manager (not just rpm).

These are based on the partial belief that the hackers with rootkits aren't "upgrading" your procps package to there version. Basically, this is just another clue to look at and should NOT be done in isolation.

For some better options, check out:

http://freshmeat.net

and search for "system integrity" then "Intrusion Detection"

AIDE (Advanced Intrusion Detection Environment) is a standout in this realm (free replacement for Tripwire).

> 
> 
> ----- Original Message ----- 
> From: "Paul Oster" <devious at minot.com>
> To: <asterisk-users at lists.digium.com>
> Sent: Wednesday, December 03, 2003 10:24 PM
> Subject: Re: [Asterisk-Users] Does Asterisk overwrite any libraries?
> 
> 
> > Looks like your box has been compromised.  Try
> >
> > ls -l `which ps`
> >
> > You'll probably find an inapropriate date.  Whenever I've diagnosed
> > problems like this, I've found badly installed rootkits.
> >
> > To address this on my production machines, I'm going to insruct the
> > router to only allow traffic that is coming from trusted locations
> > to connect to the box anyplace.
> >
> > I really hope I'm wrong about this Costas, but you should probably start
> > verifying your binaries.
> >
> > If your machine has been compromised, a clean install, and patch with
> > all the updated RPMS is a recommended soloution.
> >
> > Paul
> > costas wrote:
> >
> > >I am using a brand new RH9.0 installation. I installed Asterisk
> afterwards so I am not sure if Asterisk caused the problem below. The ps
> doesn't work. It could also be something else. I also tried installing a
> some video package. But I thought to ask here first if someone has seen this
> before.
> > >
> > >[root at localhost asterisk]# ps
> > >ps: error while loading shared libraries: libproc.so.2.0.6: cannot open
> shared object file: No such file or directory
> > >
> > >[root at localhost asterisk]# which ps
> > >/bin/ps
> > >
> > >Thanks
> > >Costas
> > >
> > >--
> > >Costas Menico
> > >Meezon Software Corp
> > >201-224-8111
> > >costas at meezon.com
> > >
> > >--
> > >_______________________________________________
> > >Asterisk-Users mailing list
> > >Asterisk-Users at lists.digium.com
> > >http://lists.digium.com/mailman/listinfo/asterisk-users
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> > ____________________________________________________________
> > Free 20MB Web Site Hosting and Personalized E-mail Service!
> > Get It Now At Doteasy.com http://www.doteasy.com/et/
> > _______________________________________________
> > Asterisk-Users mailing list
> > Asterisk-Users at lists.digium.com
> > http://lists.digium.com/mailman/listinfo/asterisk-users
> >
> 
> 
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users



More information about the asterisk-users mailing list