On Tue, Dec 6, 2011 at 3:45 PM, Johnny Hughes <johnny at centos.org> wrote: > >>>> Any luck on the specific attack path yet? The linked article >>>> suggests Centos up to 5.5 was vulnerable. >>> >>> We dont have access to the actual machines that were broken into - so >>> pretty much everything is second hand info. >>> >>> But based on what we know and what we have been told and what we have >>> worked out ourselves as well, its almost certainly bruteforced ssh >>> passwords. >> >> So, coincidence that they were CentOS, and pre-5.6? Did they have >> admins in common? >> > > Kaspersky has access to the images ... but they were mostly > cleaned/erased and only what they can recover from erased ext3 files are > there to see. > > The attackers used something to 00000 out the files that they wanted to > wipe directly ... so only things like old logs (that were deleted by > logrotate and not wiped by the attackers) are on there. > > There is one major possibility for something that could be an entry > point besides brute force, and that is exim: > > http://rhn.redhat.com/errata/RHSA-2010-0970.html > > However, they do not know yet if exim was in use on those machines. > > Note: CentOS released our update within 24 hours of that update from > upstream ... but people who have < 5.5 and exim are vulnerable to that. > Does this circle get any wider if you assume that some 3rd party library (like the old struts exploit I mentioned) in a web app allows some arbitrary command execution and the OS weakness is rated as a local-only root exploit? The one I saw looked like the first step was a wide scan for the ability to run a command, and the initial use was to send back the vulnerable URL to a site which later used the glibc issue to escalate to root. -- Les Mikesell lesmikesell at gmail.com