On 12/06/2011 02:36 PM, Les Mikesell wrote: > On Tue, Dec 6, 2011 at 2:18 PM, Karanbir Singh <mail-lists at karan.org> wrote: >> On 12/06/2011 08:09 PM, Les Mikesell wrote: >>> Any luck on the specific attack path yet? The linked article >>> suggests Centos up to 5.5 was vulnerable. >> >> We dont have access to the actual machines that were broken into - so >> pretty much everything is second hand info. >> >> But based on what we know and what we have been told and what we have >> worked out ourselves as well, its almost certainly bruteforced ssh >> passwords. > > So, coincidence that they were CentOS, and pre-5.6? Did they have > admins in common? > Kaspersky has access to the images ... but they were mostly cleaned/erased and only what they can recover from erased ext3 files are there to see. The attackers used something to 00000 out the files that they wanted to wipe directly ... so only things like old logs (that were deleted by logrotate and not wiped by the attackers) are on there. There is one major possibility for something that could be an entry point besides brute force, and that is exim: http://rhn.redhat.com/errata/RHSA-2010-0970.html However, they do not know yet if exim was in use on those machines. Note: CentOS released our update within 24 hours of that update from upstream ... but people who have < 5.5 and exim are vulnerable to that. If I had to guess, I would say that the attackers probably developed their code on CentOS, so they were looking for a CentOS machine to deploy their code on in the wild. That would be why I would say CentOS was the OS used. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20111206/ad9973d4/attachment-0005.sig>