[CentOS] SSHD rootkit in the wild/compromise for CentOS 5/6?

Leon Fauster leonfauster at googlemail.com
Fri Feb 22 21:35:42 UTC 2013


Am 22.02.2013 um 21:11 schrieb Johnny Hughes <johnny at centos.org>:
> On 02/22/2013 01:50 PM, Les Mikesell wrote:
>> On Thu, Feb 21, 2013 at 6:03 PM, Johnny Hughes <johnny at centos.org> wrote:
>>> This issue is not CentOS specific ... here is another discussion:
>>> 
>>> http://www.webhostingtalk.com/showthread.php?t=1235797
>>> 
>>> The issue seems to be that someone with local access elevates their
>>> privileges in some manner, and after they upgrade their privileges they
>>> are then putting a new libkeyutils*.so file on the machine.
>> But don't forget that what the kernel people call 'local' access
>> really means any bug in any network application that lets you execute
>> an arbitrary command even if it is non-root - and those have
>> historically been pretty common.
> 
> Sure .. if you can execute code as a user when you are not supposed to
> have any access ... then you can elevate privileges by stringing things
> together after you get the unauthorized access.
> 
> However, what people are seeing ... in practice today ... is that
> machines where there are multiple users and which are running control
> panel software SEEM to be most effected.
> 
> Does that mean that a single user machine will never be compromised ...
> of course not.
> 
> Obviously everyone who has any machines that in any way touch the
> Internet should be scanning/monitoring their machines for compromise on
> a routine basis.  In my last post, I explained how to find out if you
> have this kit installed (look at the webhosttalk link from that post).
> 
> Remember that the library files that are being put on the machines are
> not installed via an RPM but copied on as files ... and that only kernel
> branches > 3.4.32 (in the LTS branch), > 3.7.7 and > 3.8rc6 have had the
> patches applied.  That means IF (and that is a big if) this is the input
> vector, then all Linux machines (not just CentOS or RHEL) with kernels
> older than those are susceptible to this issue.



i use following script to scan top level 
directories for files that are not packaged: 


#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
BASE=$(echo "$1" |grep ^/)
RPML=$(mktemp -t rpml.XXXXXXXXXX) || exit 1

if [ -z "$BASE" ] ; then
 echo "Usage: $0 /directory"
 exit 1
fi

if ! [ -d "$BASE" ] ; then
 echo "Usage: $0 /directory"
 exit 1
fi

echo "Searching in $BASE"

rpm -qla |sort > "$RPML"

for TARGET in $(find "$BASE" -type f |grep -v "/proc/"| sed s/\\[/\\\\[/g )
do
 if ! grep -x "$TARGET" "$RPML" 1>/dev/null ; then
  echo "$TARGET"
 fi
done

if [ -f "$RPML" ]; then
 rm "$RPML"
fi

exit 0


--
LF








More information about the CentOS mailing list