[CentOS] duqu
Les Mikesell
lesmikesell at gmail.com
Tue Dec 6 22:57:55 UTC 2011
On Tue, Dec 6, 2011 at 3:45 PM, Johnny Hughes <johnny at centos.org> wrote:
>
>>>> Any luck on the specific attack path yet? The linked article
>>>> suggests Centos up to 5.5 was vulnerable.
>>>
>>> We dont have access to the actual machines that were broken into - so
>>> pretty much everything is second hand info.
>>>
>>> But based on what we know and what we have been told and what we have
>>> worked out ourselves as well, its almost certainly bruteforced ssh
>>> passwords.
>>
>> So, coincidence that they were CentOS, and pre-5.6? Did they have
>> admins in common?
>>
>
> Kaspersky has access to the images ... but they were mostly
> cleaned/erased and only what they can recover from erased ext3 files are
> there to see.
>
> The attackers used something to 00000 out the files that they wanted to
> wipe directly ... so only things like old logs (that were deleted by
> logrotate and not wiped by the attackers) are on there.
>
> There is one major possibility for something that could be an entry
> point besides brute force, and that is exim:
>
> http://rhn.redhat.com/errata/RHSA-2010-0970.html
>
> However, they do not know yet if exim was in use on those machines.
>
> Note: CentOS released our update within 24 hours of that update from
> upstream ... but people who have < 5.5 and exim are vulnerable to that.
>
Does this circle get any wider if you assume that some 3rd party
library (like the old struts exploit I mentioned) in a web app allows
some arbitrary command execution and the OS weakness is rated as a
local-only root exploit? The one I saw looked like the first step
was a wide scan for the ability to run a command, and the initial use
was to send back the vulnerable URL to a site which later used the
glibc issue to escalate to root.
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list