[CentOS] I may have been rooted - but I may not!? FOLLOW UP

Nigel Kendrick support-lists at petdoctors.co.uk
Mon Jan 26 11:31:02 UTC 2009


Ralph,

Thanks for the info. I expect this is Asterisk-related.

Nigel 

-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf
Of Ralph Angenendt
Sent: Monday, January 26, 2009 11:25 AM
To: centos at centos.org
Subject: Re: [CentOS] I may have been rooted - but I may not!? FOLLOW UP

Nigel Kendrick wrote:
> Just found ZK root kit.
>  
> Any ideas on infection vector?

> This is a Trixbox Server based on Centos, running kernel 2.6.18-53.1.4.el5
> SMP

Not really saying anything about the vector, but that kernel has a local
root exploit (google for 'vmsplice'). One of the reasons one should keep
his boxes updated ...

> I have checked the logs and history file and cannot see anything
> The server is behind a hardware firewall and the only ports open are those
> needed for RTP, IAX2 and SIP - there is no other public access and no user
> accounts.

Did you update asterisk as regularly as you updated the rest of the
system?

<http://www.derkeiler.com/Mailing-Lists/Securiteam/2008-03/msg00069.html>

And there is exploit code for this vulnerability. So I get in via this
and get root via vmsplice and then suddenly Bob's your uncle and the box
isn't yours anymore.

SIP and IAX2 exploits are from 2007, there has been an information
disclosure weakness in IAX2 too, which has been announced some days ago.
But that would "only" lead to knowledge about valid users on the system.

Ralph



More information about the CentOS mailing list