[CentOS] SSHD rootkit in the wild/compromise for CentOS 5/6?
Leon Fauster
leonfauster at googlemail.com
Fri Feb 22 21:35:42 UTC 2013
Am 22.02.2013 um 21:11 schrieb Johnny Hughes <johnny at centos.org>:
> On 02/22/2013 01:50 PM, Les Mikesell wrote:
>> On Thu, Feb 21, 2013 at 6:03 PM, Johnny Hughes <johnny at centos.org> wrote:
>>> This issue is not CentOS specific ... here is another discussion:
>>>
>>> http://www.webhostingtalk.com/showthread.php?t=1235797
>>>
>>> The issue seems to be that someone with local access elevates their
>>> privileges in some manner, and after they upgrade their privileges they
>>> are then putting a new libkeyutils*.so file on the machine.
>> But don't forget that what the kernel people call 'local' access
>> really means any bug in any network application that lets you execute
>> an arbitrary command even if it is non-root - and those have
>> historically been pretty common.
>
> Sure .. if you can execute code as a user when you are not supposed to
> have any access ... then you can elevate privileges by stringing things
> together after you get the unauthorized access.
>
> However, what people are seeing ... in practice today ... is that
> machines where there are multiple users and which are running control
> panel software SEEM to be most effected.
>
> Does that mean that a single user machine will never be compromised ...
> of course not.
>
> Obviously everyone who has any machines that in any way touch the
> Internet should be scanning/monitoring their machines for compromise on
> a routine basis. In my last post, I explained how to find out if you
> have this kit installed (look at the webhosttalk link from that post).
>
> Remember that the library files that are being put on the machines are
> not installed via an RPM but copied on as files ... and that only kernel
> branches > 3.4.32 (in the LTS branch), > 3.7.7 and > 3.8rc6 have had the
> patches applied. That means IF (and that is a big if) this is the input
> vector, then all Linux machines (not just CentOS or RHEL) with kernels
> older than those are susceptible to this issue.
i use following script to scan top level
directories for files that are not packaged:
#!/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
BASE=$(echo "$1" |grep ^/)
RPML=$(mktemp -t rpml.XXXXXXXXXX) || exit 1
if [ -z "$BASE" ] ; then
echo "Usage: $0 /directory"
exit 1
fi
if ! [ -d "$BASE" ] ; then
echo "Usage: $0 /directory"
exit 1
fi
echo "Searching in $BASE"
rpm -qla |sort > "$RPML"
for TARGET in $(find "$BASE" -type f |grep -v "/proc/"| sed s/\\[/\\\\[/g )
do
if ! grep -x "$TARGET" "$RPML" 1>/dev/null ; then
echo "$TARGET"
fi
done
if [ -f "$RPML" ]; then
rm "$RPML"
fi
exit 0
--
LF
More information about the CentOS
mailing list