[CentOS] duqu

Tue Dec 6 21:45:04 UTC 2011
Johnny Hughes <johnny at centos.org>

On 12/06/2011 02:36 PM, Les Mikesell wrote:
> On Tue, Dec 6, 2011 at 2:18 PM, Karanbir Singh <mail-lists at karan.org> wrote:
>> On 12/06/2011 08:09 PM, Les Mikesell wrote:
>>> Any luck on  the specific attack path yet?  The linked article
>>> suggests Centos up to 5.5 was vulnerable.
>>
>> We  dont have access to the actual machines that were broken into - so
>> pretty much everything is second hand info.
>>
>> But based on what we know and what we have been told and what we have
>> worked out ourselves as well, its almost certainly bruteforced ssh
>> passwords.
> 
> So, coincidence that they were CentOS, and pre-5.6?   Did they have
> admins in common?
> 

Kaspersky has access to the images ... but they were mostly
cleaned/erased and only what they can recover from erased ext3 files are
there to see.

The attackers used something to 00000 out the files that they wanted to
wipe directly ... so only things like old logs (that were deleted by
logrotate and not wiped by the attackers) are on there.

There is one major possibility for something that could be an entry
point besides brute force, and that is exim:

http://rhn.redhat.com/errata/RHSA-2010-0970.html

However, they do not know yet if exim was in use on those machines.

Note: CentOS released our update within 24 hours of that update from
upstream ... but people who have < 5.5 and exim are vulnerable to that.

If I had to guess, I would say that the attackers probably developed
their code on CentOS, so they were looking for a CentOS machine to
deploy their code on in the wild.  That would be why I would say CentOS
was the OS used.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20111206/ad9973d4/attachment-0005.sig>