[CentOS] Unknown rootkit causes compromised servers

Johnny Hughes johnny at centos.org
Tue Jan 29 01:55:03 UTC 2008 

Johnny Hughes wrote:
> Here is the applicable article:
> 
> http://www.linux.com/feature/125548
> 
> There are links in the above article that explain tests for the system 
> and what is currently known about the rootkit.
> 
> Apparently initial access is NOT via any vulnerability but just guessed 
> root passwords.
> 
> There are currently 2 methods to see if you are infected:
> 
> 1.  In some cases, the root kit causes you to not be able to create 
> directories starting with a number ... so as root do:
> 
> mkdir 1
> 
> If it gives you an error similar to this, you are probably infected:
> 
> mkdir: cannot create directory `1': No such file or directory
> 
> 2.  Run this command for several minutes while you have windows users 
> connecting to your web server:
> 
> tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
> 
> If you get output from this script, you may be infected.
> 
> ========================================================
> More info:
> 
> http://blog.cpanel.net/?p=31
> 
> http://www.cpanel.net/security/notes/random_js_toolkit.html
> 
> http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3
> 
> http://www.pcworld.com/article/id,141358-c,techindustrytrends/article.html
> 
> http://www.webhostingtalk.com/showthread.php?t=651748
> 
> ==========================================================
> 
> This does not seem to be caused by a specific vulnerability that CentOS 
> or RHEL or cPanel has, but rather it seems to be caused by compromised 
> root passwords.
> 
> There are several recommendations in the above links to prevent becoming 
> infected as well as what to do if you are infected.
> 
> While there does not seem to be anything that the CentOS Development 
> Team  can "FIX" in relation to this issue ... I thought I would put the 
> information out so that people can test their machines and take action 
> as necessary.

As a secondary note, the CentOS Security Team (and also the upstream 
security team) would like to have access to an infected machine for 
analysis, if anyone is infected and if they can spare the machine for 
several days for us to analyze (you should change your root passwd and 
take apache off line ... meaning you would need to stand up another web 
server to replace this one).

So, if you have a machine for the cause that was infected in the wild 
that you can spare, you can contact the CentOS Security team at:

security_AT_centos.org

We will work also with the Red Hat Security team and see if we can 
isolate any issues that might be FIXABLE.

Thanks,
Johnny Hughes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080128/fb6765d9/attachment.sig>

More information about the CentOS mailing list