Nigel Kendrick wrote: > Just found ZK root kit. > > Any ideas on infection vector? > This is a Trixbox Server based on Centos, running kernel 2.6.18-53.1.4.el5 > SMP Not really saying anything about the vector, but that kernel has a local root exploit (google for 'vmsplice'). One of the reasons one should keep his boxes updated ... > I have checked the logs and history file and cannot see anything > The server is behind a hardware firewall and the only ports open are those > needed for RTP, IAX2 and SIP - there is no other public access and no user > accounts. Did you update asterisk as regularly as you updated the rest of the system? <http://www.derkeiler.com/Mailing-Lists/Securiteam/2008-03/msg00069.html> And there is exploit code for this vulnerability. So I get in via this and get root via vmsplice and then suddenly Bob's your uncle and the box isn't yours anymore. SIP and IAX2 exploits are from 2007, there has been an information disclosure weakness in IAX2 too, which has been announced some days ago. But that would "only" lead to knowledge about valid users on the system. Ralph -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20090126/9a4ece11/attachment-0004.sig>