[CentOS] SSHD rootkit in the wild/compromise for CentOS 5/6?

Johnny Hughes johnny at centos.org
Fri Feb 22 00:03:01 UTC 2013 

On 02/21/2013 05:32 PM, Gilbert Sebenste wrote:
> Hello everyone,
>
> I hope you are having a good day. However, I am concerned by this:
>
> https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229
>
> Has anyone heard yet what the attack vector is, if 5.9 and 6.4 are 
> affected, and if a patch is coming out?
>

This issue is not CentOS specific ... here is another discussion:

http://www.webhostingtalk.com/showthread.php?t=1235797

The issue seems to be that someone with local access elevates their
privileges in some manner, and after they upgrade their privileges they
are then putting a new libkeyutils*.so file on the machine.

There is some talk that this vector might be this issue:

https://bugzilla.redhat.com/show_bug.cgi?id=911937

It is not yet known that this is the issue being used ... just
speculation at this point.

There is a 3.4.32 kernel in our Xen4 for CentOS6 testing repo that has
the patches rolled in for CVE-2013-0871.  3.4.32 is MUCH newer than the
standard EL6 kernel and I am not recommending that people use this
kernel in production without lots of testing ... and there should be a
distro kernel out to address CVE-2013-0871 soon since it is a priority
upstream. Here is a link where you can get that 3.4.32 kernel (x86_64
only) if you want to test it:

http://dev.centos.org/centos/6/xen-c6/x86_64/RPMS/

No one really knows what the vector currently is but there are methods
to scan for and fix the issue in the webhostingtalk thread above.

Since the current thought on this issue is that it requires local access
... the machines one needs to be very weary of are ones where many
people have non root access and might want to try to gain unauthorized
root ... like a shared web hosting machine.

When we know more, we will post it here,

Thanks,
Johnny Hughes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20130221/2c782ba6/attachment.sig>

More information about the CentOS mailing list