Gilbert Sebenste
2013-Feb-21 23:32 UTC
[CentOS] SSHD rootkit in the wild/compromise for CentOS 5/6?
Hello everyone, I hope you are having a good day. However, I am concerned by this: https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229 Has anyone heard yet what the attack vector is, if 5.9 and 6.4 are affected, and if a patch is coming out? Thanks! Gilbert ******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** *******************************************************************************
Johnny Hughes
2013-Feb-22 00:03 UTC
[CentOS] SSHD rootkit in the wild/compromise for CentOS 5/6?
On 02/21/2013 05:32 PM, Gilbert Sebenste wrote:> Hello everyone, > > I hope you are having a good day. However, I am concerned by this: > > https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229 > > Has anyone heard yet what the attack vector is, if 5.9 and 6.4 are > affected, and if a patch is coming out? >This issue is not CentOS specific ... here is another discussion: http://www.webhostingtalk.com/showthread.php?t=1235797 The issue seems to be that someone with local access elevates their privileges in some manner, and after they upgrade their privileges they are then putting a new libkeyutils*.so file on the machine. There is some talk that this vector might be this issue: https://bugzilla.redhat.com/show_bug.cgi?id=911937 It is not yet known that this is the issue being used ... just speculation at this point. There is a 3.4.32 kernel in our Xen4 for CentOS6 testing repo that has the patches rolled in for CVE-2013-0871. 3.4.32 is MUCH newer than the standard EL6 kernel and I am not recommending that people use this kernel in production without lots of testing ... and there should be a distro kernel out to address CVE-2013-0871 soon since it is a priority upstream. Here is a link where you can get that 3.4.32 kernel (x86_64 only) if you want to test it: http://dev.centos.org/centos/6/xen-c6/x86_64/RPMS/ No one really knows what the vector currently is but there are methods to scan for and fix the issue in the webhostingtalk thread above. Since the current thought on this issue is that it requires local access ... the machines one needs to be very weary of are ones where many people have non root access and might want to try to gain unauthorized root ... like a shared web hosting machine. When we know more, we will post it here, Thanks, Johnny Hughes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20130221/2c782ba6/attachment-0002.sig>
Gilbert Sebenste
2013-Feb-22 02:33 UTC
[CentOS] SSHD rootkit in the wild/compromise for CentOS 5/6?
Thank you, Johnny, for that clarification, I appreciate it! I can relax a little now. :-) Gilbert ******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** *******************************************************************************
Les Mikesell
2013-Feb-22 19:50 UTC
[CentOS] SSHD rootkit in the wild/compromise for CentOS 5/6?
On Thu, Feb 21, 2013 at 6:03 PM, Johnny Hughes <johnny at centos.org> wrote:> > This issue is not CentOS specific ... here is another discussion: > > http://www.webhostingtalk.com/showthread.php?t=1235797 > > The issue seems to be that someone with local access elevates their > privileges in some manner, and after they upgrade their privileges they > are then putting a new libkeyutils*.so file on the machine.But don't forget that what the kernel people call 'local' access really means any bug in any network application that lets you execute an arbitrary command even if it is non-root - and those have historically been pretty common. -- Les Mikesell lesmikesell at gmail.com