[CentOS] SSHD rootkit in the wild/compromise for CentOS 5/6?

Johnny Hughes johnny at centos.org
Fri Feb 22 20:11:43 UTC 2013


On 02/22/2013 01:50 PM, Les Mikesell wrote:
> On Thu, Feb 21, 2013 at 6:03 PM, Johnny Hughes <johnny at centos.org> wrote:
>> This issue is not CentOS specific ... here is another discussion:
>>
>> http://www.webhostingtalk.com/showthread.php?t=1235797
>>
>> The issue seems to be that someone with local access elevates their
>> privileges in some manner, and after they upgrade their privileges they
>> are then putting a new libkeyutils*.so file on the machine.
> But don't forget that what the kernel people call 'local' access
> really means any bug in any network application that lets you execute
> an arbitrary command even if it is non-root - and those have
> historically been pretty common.

Sure .. if you can execute code as a user when you are not supposed to
have any access ... then you can elevate privileges by stringing things
together after you get the unauthorized access.

However, what people are seeing ... in practice today ... is that
machines where there are multiple users and which are running control
panel software SEEM to be most effected.

Does that mean that a single user machine will never be compromised ...
of course not.

Obviously everyone who has any machines that in any way touch the
Internet should be scanning/monitoring their machines for compromise on
a routine basis.  In my last post, I explained how to find out if you
have this kit installed (look at the webhosttalk link from that post).

Remember that the library files that are being put on the machines are
not installed via an RPM but copied on as files ... and that only kernel
branches > 3.4.32 (in the LTS branch), > 3.7.7 and > 3.8rc6 have had the
patches applied.  That means IF (and that is a big if) this is the input
vector, then all Linux machines (not just CentOS or RHEL) with kernels
older than those are susceptible to this issue.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20130222/cffccfe0/attachment.sig>


More information about the CentOS mailing list