On Wed, Nov 30, 2011 at 12:40 PM, Johnny Hughes <johnny at centos.org> wrote: > On 11/30/2011 12:05 PM, m.roth at 5-cent.us wrote: >> There's an article on slashdot about the Duqu team wiping all their >> intermediary c&c servers on 20 Oct. Interestingly, the report says that >> they were all (?) not only linux, but CentOS. There's a suggestion of a >> zero-day exploit in openssh-4.3, but both the original article, and >> Kaspersky labs (who have a *very* interesting post of the story) consider >> that highly unlikely, and the evidence points to brute-force attacks >> against the root password. Then they update openssh and openssh-server. >> And then, at some point, they apparently take an ubuntu/debian openssh >> 5.9p1 (then p2) source package, and install *that* >> >> My manager suggest updating openssh to block other attackers (who actually >> might screw their attack). It still seems odd to me to yum update, then >> build the software from source. >> >> Are your root passwords strong? >> >> mark >> >> PS: Oh, yes: >> <http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers> > > The problem with that theory is that Red Hat has backported patches for > all know exploits. > > I am going to specifically research which exploit they think is being > used ... > > Now, note that people were running 5.2 or 5.3, etc and not 5.7 like they > should have been, so there might well have been an openssh exploit > available ... just not a zero day one from 4.3. > > I am very interested and will be researching this thoroughly. > > My initial gut reaction is that they got in via a password though. Any luck on the specific attack path yet? The linked article suggests Centos up to 5.5 was vulnerable. -- Les Mikesell lesmikesell at gmail.com