[CentOS] Unknown rootkit causes compromised servers

Tue Jan 29 01:30:11 UTC 2008
Johnny Hughes <johnny at centos.org>

Here is the applicable article:

http://www.linux.com/feature/125548

There are links in the above article that explain tests for the system 
and what is currently known about the rootkit.

Apparently initial access is NOT via any vulnerability but just guessed 
root passwords.

There are currently 2 methods to see if you are infected:

1.  In some cases, the root kit causes you to not be able to create 
directories starting with a number ... so as root do:

mkdir 1

If it gives you an error similar to this, you are probably infected:

mkdir: cannot create directory `1': No such file or directory

2.  Run this command for several minutes while you have windows users 
connecting to your web server:

tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"

If you get output from this script, you may be infected.

========================================================
More info:

http://blog.cpanel.net/?p=31

http://www.cpanel.net/security/notes/random_js_toolkit.html

http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3

http://www.pcworld.com/article/id,141358-c,techindustrytrends/article.html

http://www.webhostingtalk.com/showthread.php?t=651748

==========================================================

This does not seem to be caused by a specific vulnerability that CentOS 
or RHEL or cPanel has, but rather it seems to be caused by compromised 
root passwords.

There are several recommendations in the above links to prevent becoming 
infected as well as what to do if you are infected.

While there does not seem to be anything that the CentOS Development 
Team  can "FIX" in relation to this issue ... I thought I would put the 
information out so that people can test their machines and take action 
as necessary.

Thanks,
Johnny Hughes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080128/b61858e8/attachment-0004.sig>