On Tue, 06 Dec 2011 15:45:04 -0600 Johnny Hughes johnny@centos.org wrote:
On 12/06/2011 02:36 PM, Les Mikesell wrote:
On Tue, Dec 6, 2011 at 2:18 PM, Karanbir Singh mail-lists@karan.org wrote:
On 12/06/2011 08:09 PM, Les Mikesell wrote:
Any luck on the specific attack path yet? The linked article suggests Centos up to 5.5 was vulnerable.
We dont have access to the actual machines that were broken into
- so pretty much everything is second hand info.
But based on what we know and what we have been told and what we have worked out ourselves as well, its almost certainly bruteforced ssh passwords.
So, coincidence that they were CentOS, and pre-5.6? Did they have admins in common?
Kaspersky has access to the images ... but they were mostly cleaned/erased and only what they can recover from erased ext3 files are there to see.
The attackers used something to 00000 out the files that they wanted to wipe directly ... so only things like old logs (that were deleted by logrotate and not wiped by the attackers) are on there.
There is one major possibility for something that could be an entry point besides brute force, and that is exim:
http://rhn.redhat.com/errata/RHSA-2010-0970.html
However, they do not know yet if exim was in use on those machines.
Note: CentOS released our update within 24 hours of that update from upstream ... but people who have < 5.5 and exim are vulnerable to that.
If I had to guess, I would say that the attackers probably developed their code on CentOS, so they were looking for a CentOS machine to deploy their code on in the wild. That would be why I would say CentOS was the OS used.
The fact that they immediately (first thing, actually) did was to upgrade OpenSSH does suggest that there is a Zero Day bug around.
If you capture a machine to be your C&C of a botnet, you certainly don't want the same bug around so others can take your 0wned machine...
Rui