[CentOS] duqu

Wed Dec 7 17:30:27 UTC 2011
Rui Miguel Silva Seabra <rms at 1407.org>

On Tue, 06 Dec 2011 15:45:04 -0600
Johnny Hughes <johnny at centos.org> wrote:

> On 12/06/2011 02:36 PM, Les Mikesell wrote:
> > On Tue, Dec 6, 2011 at 2:18 PM, Karanbir Singh
> > <mail-lists at karan.org> wrote:
> >> On 12/06/2011 08:09 PM, Les Mikesell wrote:
> >>> Any luck on  the specific attack path yet?  The linked article
> >>> suggests Centos up to 5.5 was vulnerable.
> >>
> >> We  dont have access to the actual machines that were broken into
> >> - so pretty much everything is second hand info.
> >>
> >> But based on what we know and what we have been told and what we
> >> have worked out ourselves as well, its almost certainly
> >> bruteforced ssh passwords.
> > 
> > So, coincidence that they were CentOS, and pre-5.6?   Did they have
> > admins in common?
> > 
> 
> Kaspersky has access to the images ... but they were mostly
> cleaned/erased and only what they can recover from erased ext3 files
> are there to see.
> 
> The attackers used something to 00000 out the files that they wanted
> to wipe directly ... so only things like old logs (that were deleted
> by logrotate and not wiped by the attackers) are on there.
> 
> There is one major possibility for something that could be an entry
> point besides brute force, and that is exim:
> 
> http://rhn.redhat.com/errata/RHSA-2010-0970.html
> 
> However, they do not know yet if exim was in use on those machines.
> 
> Note: CentOS released our update within 24 hours of that update from
> upstream ... but people who have < 5.5 and exim are vulnerable to
> that.
> 
> If I had to guess, I would say that the attackers probably developed
> their code on CentOS, so they were looking for a CentOS machine to
> deploy their code on in the wild.  That would be why I would say
> CentOS was the OS used.

The fact that they immediately (first thing, actually) did was to
upgrade OpenSSH does suggest that there is a Zero Day bug around.

If you capture a machine to be your C&C of a botnet, you certainly
don't want the same bug around so others can take your 0wned machine...

Rui
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20111207/c4fab2ae/attachment-0005.sig>