On Mon, 2008-01-28 at 19:55 -0600, Johnny Hughes wrote: > Johnny Hughes wrote: > > Here is the applicable article: > > > > http://www.linux.com/feature/125548 > > > > There are links in the above article that explain tests for the system > > and what is currently known about the rootkit. > > > > Apparently initial access is NOT via any vulnerability but just guessed > > root passwords. > > > > There are currently 2 methods to see if you are infected: > > > > 1. In some cases, the root kit causes you to not be able to create > > directories starting with a number ... so as root do: > > > > mkdir 1 > > > > If it gives you an error similar to this, you are probably infected: > > > > mkdir: cannot create directory `1': No such file or directory > > > > 2. Run this command for several minutes while you have windows users > > connecting to your web server: > > > > tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'" > > > > If you get output from this script, you may be infected. > > > > ======================================================== > > More info: > > > > http://blog.cpanel.net/?p=31 > > > > http://www.cpanel.net/security/notes/random_js_toolkit.html > > > > http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3 > > > > http://www.pcworld.com/article/id,141358-c,techindustrytrends/article.html > > > > http://www.webhostingtalk.com/showthread.php?t=651748 > > > > ========================================================== > > > > This does not seem to be caused by a specific vulnerability that CentOS > > or RHEL or cPanel has, but rather it seems to be caused by compromised > > root passwords. > > > > There are several recommendations in the above links to prevent becoming > > infected as well as what to do if you are infected. > > > > While there does not seem to be anything that the CentOS Development > > Team can "FIX" in relation to this issue ... I thought I would put the > > information out so that people can test their machines and take action > > as necessary. > > As a secondary note, the CentOS Security Team (and also the upstream > security team) would like to have access to an infected machine for > analysis, if anyone is infected and if they can spare the machine for > several days for us to analyze (you should change your root passwd and > take apache off line ... meaning you would need to stand up another web > server to replace this one). > > So, if you have a machine for the cause that was infected in the wild > that you can spare, you can contact the CentOS Security team at: > > security_AT_centos.org > > We will work also with the Red Hat Security team and see if we can > isolate any issues that might be FIXABLE. ---- doesn't this almost beg for upstream to make denyhosts a base install and automatically on, just as sshd is automatically on? Craig