[CentOS] SSHD rootkit in the wild/compromise for CentOS 5/6?
Guolin Cheng
gcheng at salesforce.com
Tue Feb 26 17:57:43 UTC 2013
It makes some sense to follow RHEL's suit, but Gelen's suggestions gain more points here too.
As end users we probably turn off the default prelink settings after RHEL/Centos initial installation, it is not a rocket technology.
On 2/26/13 8:10 AM, "Johnny Hughes" <johnny at centos.org> wrote:
On 02/25/2013 04:24 PM, Gelen James wrote:
> 'rpm -V' can be misleading, if taking into account of prelink on Redhat/Centos Boxes which is running through cron by default. I've shown the steps on reverse the effect of prelink at the comments sections at link https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229?storyid=15229. I'm afraid that 'rpm -V' only will make big noises or false alarms.
>
> But in general, maybe it is a good time to turn off prelink, or more aggressively, remove prelink packages from Centos 5/6? the prelink is said to bring some performance boost, but who really cares in the era of tens of CPUs? nowadays and later on we are -- and will -- more concerned on security threats instead of 3~5 percents CPU/performance gain, right?
RHEL does prelinking by default, we therefore will never turn it off in
CentOS by default.
More information about the CentOS
mailing list