[CentOS] I may have been rooted - but I may not!? FOLLOW UP

Mon Jan 26 11:25:29 UTC 2009
Ralph Angenendt <ra+centos at br-online.de>

Nigel Kendrick wrote:
> Just found ZK root kit.
>  
> Any ideas on infection vector?

> This is a Trixbox Server based on Centos, running kernel 2.6.18-53.1.4.el5
> SMP

Not really saying anything about the vector, but that kernel has a local
root exploit (google for 'vmsplice'). One of the reasons one should keep
his boxes updated ...

> I have checked the logs and history file and cannot see anything
> The server is behind a hardware firewall and the only ports open are those
> needed for RTP, IAX2 and SIP - there is no other public access and no user
> accounts.

Did you update asterisk as regularly as you updated the rest of the
system?

<http://www.derkeiler.com/Mailing-Lists/Securiteam/2008-03/msg00069.html>

And there is exploit code for this vulnerability. So I get in via this
and get root via vmsplice and then suddenly Bob's your uncle and the box
isn't yours anymore.

SIP and IAX2 exploits are from 2007, there has been an information
disclosure weakness in IAX2 too, which has been announced some days ago.
But that would "only" lead to knowledge about valid users on the system.

Ralph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20090126/9a4ece11/attachment-0005.sig>