Morning,
I am going to treat this as a rooted box and reinstall from scratch, but any thoughts appreciated:
This is a Trixbox Server based on Centos, running kernel 2.6.18-53.1.4.el5 SMP
The phone system stopped working but this was traced to a configuration error with a replacement switch (it did not get added to the vlan properly), which meant that Trixbox could not see any DNS servers and this b0rks TB.
Anyway, during debugging I went to reboot the server and got the following:
/dev/kmem missing
IDT table read failed
I have run rkhunter, which turns up nothing If have forced a filesystem check - all clean I have checked the logs and history file and cannot see anything The server is behind a hardware firewall and the only ports open are those needed for RTP, IAX2 and SIP - there is no other public access and no user accounts. Having fixed the vlan issue, Asterisk is running fine.
I re-created /dev/kmem, but it's missing at subsequent reboots.
I have Googled many references to the IDT table problem being associated with the SuckIT rootkit, but I can find no evidence that it's installed.
OK, bearing in mind that I will go ahead and reinstall the server (no biggie as I have Trixbox config backups and installing TB is not a big task), I just wanted to check whether there were any IDT table issues that may *NOT* be rootkit related and if there are any simple fixes I can try on the box while it's isolated on the bench?
In the other direction, has anyone seen this type of behaviour with any rootkit that is not detected by rkhunter and doesn't leave any obvious footprints? Anything to look for?
Happy Monday!
Thanks
Nigel
Just found ZK root kit.
Any ideas on infection vector?
Ho hum
_____
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Nigel Kendrick Sent: Monday, January 26, 2009 11:01 AM To: 'CentOS mailing list' Subject: [CentOS] I may have been rooted - but I may not!?
Morning,
I am going to treat this as a rooted box and reinstall from scratch, but any thoughts appreciated:
This is a Trixbox Server based on Centos, running kernel 2.6.18-53.1.4.el5 SMP
The phone system stopped working but this was traced to a configuration error with a replacement switch (it did not get added to the vlan properly), which meant that Trixbox could not see any DNS servers and this b0rks TB.
Anyway, during debugging I went to reboot the server and got the following:
/dev/kmem missing
IDT table read failed
I have run rkhunter, which turns up nothing If have forced a filesystem check - all clean I have checked the logs and history file and cannot see anything The server is behind a hardware firewall and the only ports open are those needed for RTP, IAX2 and SIP - there is no other public access and no user accounts. Having fixed the vlan issue, Asterisk is running fine.
I re-created /dev/kmem, but it's missing at subsequent reboots.
I have Googled many references to the IDT table problem being associated with the SuckIT rootkit, but I can find no evidence that it's installed.
OK, bearing in mind that I will go ahead and reinstall the server (no biggie as I have Trixbox config backups and installing TB is not a big task), I just wanted to check whether there were any IDT table issues that may *NOT* be rootkit related and if there are any simple fixes I can try on the box while it's isolated on the bench?
In the other direction, has anyone seen this type of behaviour with any rootkit that is not detected by rkhunter and doesn't leave any obvious footprints? Anything to look for?
Happy Monday!
Thanks
Nigel
Nigel Kendrick wrote:
Just found ZK root kit.
Any ideas on infection vector?
This is a Trixbox Server based on Centos, running kernel 2.6.18-53.1.4.el5 SMP
Not really saying anything about the vector, but that kernel has a local root exploit (google for 'vmsplice'). One of the reasons one should keep his boxes updated ...
I have checked the logs and history file and cannot see anything The server is behind a hardware firewall and the only ports open are those needed for RTP, IAX2 and SIP - there is no other public access and no user accounts.
Did you update asterisk as regularly as you updated the rest of the system?
http://www.derkeiler.com/Mailing-Lists/Securiteam/2008-03/msg00069.html
And there is exploit code for this vulnerability. So I get in via this and get root via vmsplice and then suddenly Bob's your uncle and the box isn't yours anymore.
SIP and IAX2 exploits are from 2007, there has been an information disclosure weakness in IAX2 too, which has been announced some days ago. But that would "only" lead to knowledge about valid users on the system.
Ralph
Ralph,
Thanks for the info. I expect this is Asterisk-related.
Nigel
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Ralph Angenendt Sent: Monday, January 26, 2009 11:25 AM To: centos@centos.org Subject: Re: [CentOS] I may have been rooted - but I may not!? FOLLOW UP
Nigel Kendrick wrote:
Just found ZK root kit.
Any ideas on infection vector?
This is a Trixbox Server based on Centos, running kernel 2.6.18-53.1.4.el5 SMP
Not really saying anything about the vector, but that kernel has a local root exploit (google for 'vmsplice'). One of the reasons one should keep his boxes updated ...
I have checked the logs and history file and cannot see anything The server is behind a hardware firewall and the only ports open are those needed for RTP, IAX2 and SIP - there is no other public access and no user accounts.
Did you update asterisk as regularly as you updated the rest of the system?
http://www.derkeiler.com/Mailing-Lists/Securiteam/2008-03/msg00069.html
And there is exploit code for this vulnerability. So I get in via this and get root via vmsplice and then suddenly Bob's your uncle and the box isn't yours anymore.
SIP and IAX2 exploits are from 2007, there has been an information disclosure weakness in IAX2 too, which has been announced some days ago. But that would "only" lead to knowledge about valid users on the system.
Ralph
-
Nigel Kendrick -
Ralph Angenendt