On Tue, 06 Dec 2011 15:45:04 -0600 Johnny Hughes <johnny at centos.org> wrote: > On 12/06/2011 02:36 PM, Les Mikesell wrote: > > On Tue, Dec 6, 2011 at 2:18 PM, Karanbir Singh > > <mail-lists at karan.org> wrote: > >> On 12/06/2011 08:09 PM, Les Mikesell wrote: > >>> Any luck on the specific attack path yet? The linked article > >>> suggests Centos up to 5.5 was vulnerable. > >> > >> We dont have access to the actual machines that were broken into > >> - so pretty much everything is second hand info. > >> > >> But based on what we know and what we have been told and what we > >> have worked out ourselves as well, its almost certainly > >> bruteforced ssh passwords. > > > > So, coincidence that they were CentOS, and pre-5.6? Did they have > > admins in common? > > > > Kaspersky has access to the images ... but they were mostly > cleaned/erased and only what they can recover from erased ext3 files > are there to see. > > The attackers used something to 00000 out the files that they wanted > to wipe directly ... so only things like old logs (that were deleted > by logrotate and not wiped by the attackers) are on there. > > There is one major possibility for something that could be an entry > point besides brute force, and that is exim: > > http://rhn.redhat.com/errata/RHSA-2010-0970.html > > However, they do not know yet if exim was in use on those machines. > > Note: CentOS released our update within 24 hours of that update from > upstream ... but people who have < 5.5 and exim are vulnerable to > that. > > If I had to guess, I would say that the attackers probably developed > their code on CentOS, so they were looking for a CentOS machine to > deploy their code on in the wild. That would be why I would say > CentOS was the OS used. The fact that they immediately (first thing, actually) did was to upgrade OpenSSH does suggest that there is a Zero Day bug around. If you capture a machine to be your C&C of a botnet, you certainly don't want the same bug around so others can take your 0wned machine... Rui -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20111207/c4fab2ae/attachment-0005.sig>