yum update problem / do i have a security problem?

[hfr]

Hello,

today I had a strange problem updating my centos 5.7 64-bit. The Server is used for webhosting via ispconfig 3 (-> perfect server guide)

Quote:

...
Dependencies Resolved

================================================== =============================================
Package Arch Version Repository Size
================================================== =============================================
Updating:
openssh-server x86_64 4.3p2-72.el5_7.5 updates 278 k

Transaction Summary
================================================== =============================================
Install 0 Package(s)
Upgrade 1 Package(s)

Total size: 278 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : openssh-server 1/2
Error unpacking rpm package openssh-server-4.3p2-72.el5_7.5.x86_64
error: unpacking of archive failed on file /usr/sbin/sshd: cpio: rename

Failed:
openssh-server.x86_64 0:4.3p2-72.el5_7.5

Complete!

I looked at /usr/sbin/sshd ...

Quote:

[root@server ~]# ll /usr/sbin/sshd
-rwxrwxrwx 1 root apache 288592 12. Sep 2010 /usr/sbin/sshd

... and tried to change group, which did not work:

Quote:

[root@server sbin]# chgrp root /usr/sbin/sshd
chgrp:
Ändern der Gruppe für /usr/sbin/sshd: Die Operation ist nicht erlaubt

(translation: operation is not permitted)

After a bit of searching I found a +i-Flag in ext-attributes:

Code:

[root@server ~]# lsattr /usr/sbin/sshd
----i-------- /usr/sbin/sshd

After disabling that, everything worked fine again

Quote:

chattr -i /usr/sbin/sshd

Now I am wondering who/what set this Flag in ext3-Attributes and who changed group of sshd to apache. May my server has been attacked successfully? I checked processes, open ports and chkrootkit but found nothing.

Does anybody has an idea which can caused these oddities?

Best Regards
hans

[falko]

Did you run rkhunter?