If you’ve been following the news you may have heard of a new backdoor that replaces your Apache binary.
While it’s a great idea to install something like Tripwire or CSF to let you know when a binary changes, ad hoc queries using yum are also possible.
A short and to the point example..
For this example we are going to “infect” the GCC binary as if we are creating a backdoored compiler
Step 1: Install yum verify
yum install yum-verify -y
Step 2: Let’s do some damage..
echo “.” >> /usr/bin/gcc
Step 3: Running and understanding yum verify-rpm
You can invoke yum verify to check the package integerity
yum verify-rpm gcc
Loaded plugins: fastestmirror, presto, priorities, verify
==================== Installed Packages ====================
gcc.x86_64 : Various compilers (C, C++, Objective-C, Java, …)
File: /usr/bin/gcc
Problem: checksum does not match
Current: sha256:c2ddfb51a2e631e6176d550c035ab9484043a4be6732cb405a92bad3ecfd1e35
Original: sha256:173b459de91d3d08fb04ec72eafac6a3fad87c5a75bdfb381e071e48e8c16fa8
——–
Problem: size does not match
Current: 263890 B
Original: 263888 B
——–
Problem: mtime does not match
Current: Thu May 9 16:05:48 2013 (77 days, 0:29:20 later)
Original: Thu Feb 21 15:36:28 2013
File: /usr/bin/x86_64-redhat-linux-gcc
Problem: checksum does not match
Current: sha256:c2ddfb51a2e631e6176d550c035ab9484043a4be6732cb405a92bad3ecfd1e35
Original: sha256:173b459de91d3d08fb04ec72eafac6a3fad87c5a75bdfb381e071e48e8c16fa8
——–
Problem: size does not match
Current: 263890 B
Original: 263888 B
——–
Problem: mtime does not match
Current: Thu May 9 16:05:48 2013 (77 days, 0:29:20 later)
Original: Thu Feb 21 15:36:28 2013
verify-rpm done
Well there is your problem. It would seem the binary no longer matches the original hash. Please note that this tool will also flag configuration changes that you made to the original configs after install.
Step 4: Remediate the problem by reinstalling the old package
A reinstall is simple:
yum reinstall gcc
Loaded plugins: fastestmirror, presto, priorities, verify
Setting up Reinstall Process
Loading mirror speeds from cached hostfile
* base: www.fedora.is
* extras: www.fedora.is
* updates: www.fedora.is
Resolving Dependencies
–> Running transaction check
—> Package gcc.x86_64 0:4.4.7-3.el6 will be reinstalled
–> Finished Dependency ResolutionDependencies Resolved
==============================================================================================================================
Package Arch Version Repository Size
==============================================================================================================================
Reinstalling:
gcc x86_64 4.4.7-3.el6 base 10 MTransaction Summary
==============================================================================================================================
Reinstall 1 Package(s)Total download size: 10 M
Installed size: 19 M
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 10 M
gcc-4.4.7-3.el6.x86_64.rpm | 10 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : gcc-4.4.7-3.el6.x86_64 1/1
Verifying : gcc-4.4.7-3.el6.x86_64 1/1Installed:
gcc.x86_64 0:4.4.7-3.el6Complete!
Step 5: Verify that the package is now correct
yum verify-rpm gcc
Loaded plugins: fastestmirror, presto, priorities, verify
verify-rpm done
No output means that the packages are now fine.