[CentOS] duqu

Tue Dec 6 22:57:55 UTC 2011
Les Mikesell <lesmikesell at gmail.com>

On Tue, Dec 6, 2011 at 3:45 PM, Johnny Hughes <johnny at centos.org> wrote:
>
>>>> Any luck on  the specific attack path yet?  The linked article
>>>> suggests Centos up to 5.5 was vulnerable.
>>>
>>> We  dont have access to the actual machines that were broken into - so
>>> pretty much everything is second hand info.
>>>
>>> But based on what we know and what we have been told and what we have
>>> worked out ourselves as well, its almost certainly bruteforced ssh
>>> passwords.
>>
>> So, coincidence that they were CentOS, and pre-5.6?   Did they have
>> admins in common?
>>
>
> Kaspersky has access to the images ... but they were mostly
> cleaned/erased and only what they can recover from erased ext3 files are
> there to see.
>
> The attackers used something to 00000 out the files that they wanted to
> wipe directly ... so only things like old logs (that were deleted by
> logrotate and not wiped by the attackers) are on there.
>
> There is one major possibility for something that could be an entry
> point besides brute force, and that is exim:
>
> http://rhn.redhat.com/errata/RHSA-2010-0970.html
>
> However, they do not know yet if exim was in use on those machines.
>
> Note: CentOS released our update within 24 hours of that update from
> upstream ... but people who have < 5.5 and exim are vulnerable to that.
>

Does this circle get any wider if you assume that some 3rd party
library (like the old struts exploit I mentioned) in a web app allows
some arbitrary command execution and the OS weakness is rated as a
local-only root exploit?   The one I saw looked like the first step
was a wide scan for the ability to run a command, and the initial use
was to send back the vulnerable URL to a site which later used the
glibc issue to escalate to root.

-- 
   Les Mikesell
     lesmikesell at gmail.com