[CentOS] duqu

Wed Nov 30 18:40:26 UTC 2011
Johnny Hughes <johnny at centos.org>

On 11/30/2011 12:05 PM, m.roth at 5-cent.us wrote:
> There's an article on slashdot about the Duqu team wiping all their
> intermediary c&c servers on 20 Oct. Interestingly, the report says that
> they were all (?) not only linux, but CentOS. There's a suggestion of a
> zero-day exploit in openssh-4.3, but both the original article, and
> Kaspersky labs (who have a *very* interesting post of the story) consider
> that highly unlikely, and the evidence points to brute-force attacks
> against the root password. Then they update openssh and openssh-server.
> And then, at some point, they apparently take an ubuntu/debian openssh
> 5.9p1 (then p2) source package, and install *that*
> My manager suggest updating openssh to block other attackers (who actually
> might screw their attack). It still seems odd to me to yum update, then
> build the software from source.
> Are your root passwords strong?
>            mark
> PS: Oh, yes:
> <http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers>

The problem with that theory is that Red Hat has backported patches for
all know exploits.

I am going to specifically research which exploit they think is being
used ...

Now, note that people were running 5.2 or 5.3, etc and not 5.7 like they
should have been, so there might well have been an openssh exploit
available ... just not a zero day one from 4.3.

I am very interested and will be researching this thoroughly.

My initial gut reaction is that they got in via a password though.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20111130/f6b98404/attachment-0005.sig>