On Tue, Dec 6, 2011 at 3:45 PM, Johnny Hughes johnny@centos.org wrote:
Any luck on the specific attack path yet? The linked article suggests Centos up to 5.5 was vulnerable.
We dont have access to the actual machines that were broken into - so pretty much everything is second hand info.
But based on what we know and what we have been told and what we have worked out ourselves as well, its almost certainly bruteforced ssh passwords.
So, coincidence that they were CentOS, and pre-5.6? Did they have admins in common?
Kaspersky has access to the images ... but they were mostly cleaned/erased and only what they can recover from erased ext3 files are there to see.
The attackers used something to 00000 out the files that they wanted to wipe directly ... so only things like old logs (that were deleted by logrotate and not wiped by the attackers) are on there.
There is one major possibility for something that could be an entry point besides brute force, and that is exim:
http://rhn.redhat.com/errata/RHSA-2010-0970.html
However, they do not know yet if exim was in use on those machines.
Note: CentOS released our update within 24 hours of that update from upstream ... but people who have < 5.5 and exim are vulnerable to that.
Does this circle get any wider if you assume that some 3rd party library (like the old struts exploit I mentioned) in a web app allows some arbitrary command execution and the OS weakness is rated as a local-only root exploit? The one I saw looked like the first step was a wide scan for the ability to run a command, and the initial use was to send back the vulnerable URL to a site which later used the glibc issue to escalate to root.