[CentOS] Unknown rootkit causes compromised servers

Tue Jan 29 03:08:20 UTC 2008
Craig White <craigwhite at azapple.com>

On Mon, 2008-01-28 at 19:55 -0600, Johnny Hughes wrote:
> Johnny Hughes wrote:
> > Here is the applicable article:
> > 
> > http://www.linux.com/feature/125548
> > 
> > There are links in the above article that explain tests for the system 
> > and what is currently known about the rootkit.
> > 
> > Apparently initial access is NOT via any vulnerability but just guessed 
> > root passwords.
> > 
> > There are currently 2 methods to see if you are infected:
> > 
> > 1.  In some cases, the root kit causes you to not be able to create 
> > directories starting with a number ... so as root do:
> > 
> > mkdir 1
> > 
> > If it gives you an error similar to this, you are probably infected:
> > 
> > mkdir: cannot create directory `1': No such file or directory
> > 
> > 2.  Run this command for several minutes while you have windows users 
> > connecting to your web server:
> > 
> > tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
> > 
> > If you get output from this script, you may be infected.
> > 
> > ========================================================
> > More info:
> > 
> > http://blog.cpanel.net/?p=31
> > 
> > http://www.cpanel.net/security/notes/random_js_toolkit.html
> > 
> > http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3
> > 
> > http://www.pcworld.com/article/id,141358-c,techindustrytrends/article.html
> > 
> > http://www.webhostingtalk.com/showthread.php?t=651748
> > 
> > ==========================================================
> > 
> > This does not seem to be caused by a specific vulnerability that CentOS 
> > or RHEL or cPanel has, but rather it seems to be caused by compromised 
> > root passwords.
> > 
> > There are several recommendations in the above links to prevent becoming 
> > infected as well as what to do if you are infected.
> > 
> > While there does not seem to be anything that the CentOS Development 
> > Team  can "FIX" in relation to this issue ... I thought I would put the 
> > information out so that people can test their machines and take action 
> > as necessary.
> 
> As a secondary note, the CentOS Security Team (and also the upstream 
> security team) would like to have access to an infected machine for 
> analysis, if anyone is infected and if they can spare the machine for 
> several days for us to analyze (you should change your root passwd and 
> take apache off line ... meaning you would need to stand up another web 
> server to replace this one).
> 
> So, if you have a machine for the cause that was infected in the wild 
> that you can spare, you can contact the CentOS Security team at:
> 
> security_AT_centos.org
> 
> We will work also with the Red Hat Security team and see if we can 
> isolate any issues that might be FIXABLE.
----
doesn't this almost beg for upstream to make denyhosts a base install
and automatically on, just as sshd is automatically on?

Craig