VectorLinux
October 31, 2014, 12:23:13 pm *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Visit our home page for VL info. To search the old message board go to http://vectorlinux.com/forum1. The first VL forum is temporarily offline until we can find a host for it. Thanks for your patience.
 
Now powered by KnowledgeDex.
   Home   Help Search Login Register  
Please support VectorLinux!
Pages: [1] 2
  Print  
Author Topic: New rootkit in the wild  (Read 2640 times)
retired1af
Packager
Vectorian
****
Posts: 1265



« on: February 19, 2013, 04:56:08 am »

http://www.webhostingtalk.com/showthread.php?t=1235797

Read it and weep. **sigh**
Logged

ASUS K73 Intel i3 Dual Core 2.3GHz
The Headacher
Louder than you
Global Moderator
Vectorian
*****
Posts: 1552


I like the bass to go BOOM!


WWW
« Reply #1 on: February 19, 2013, 06:20:41 am »

I gave up after about 12 pages of replies. Is there a catch somewhere? While I'm interested in computer security, I don't know enough to understand everything going on there. I do get the feeling like it's mostly the server OS's that should worry, since their 'tools' seem to be targeted by this rootkit.

Anyhow, for desktops SSHD is often unneeded (and disabled by default in VL), I reckon most of our users should be fine.
Logged

Most music on my soundcloud page was arranged in programs running on VL.
retired1af
Packager
Vectorian
****
Posts: 1265



« Reply #2 on: February 19, 2013, 07:02:54 am »

The infection route is NOT through sshd. They don't know the infection route yet. Some of the affected servers had sshd blocked or turned off.
Logged

ASUS K73 Intel i3 Dual Core 2.3GHz
The Headacher
Louder than you
Global Moderator
Vectorian
*****
Posts: 1552


I like the bass to go BOOM!


WWW
« Reply #3 on: February 19, 2013, 07:18:15 am »

Quote
The infection route is NOT through sshd
But while the computer may be infected by the rootkit, it's primary goal seems to be to give the hacker access to the system using SSHD. So even IF a VL computer catches the file, there's still a pretty good chance that SSHD is not enabled, which should mean no root access to the system for the hacker. But I agree that ideally you don't want the rootkit to be installed in the first place.
Logged

Most music on my soundcloud page was arranged in programs running on VL.
The Headacher
Louder than you
Global Moderator
Vectorian
*****
Posts: 1552


I like the bass to go BOOM!


WWW
« Reply #4 on: February 19, 2013, 10:08:41 am »

This post seems to suggest that it's limited to redhat/centOS like linuxes, which would make sense since those are probably the biggest players in the 'enterprise' market (more data to be stolen or faster computers/connections to be used) and closely related. So, eventhough this is nasty for certain people this problem might not be a biggy to us.

Still, interesting subject. I don't usually consider the possibility of attracting malicious software of any kind to my Linux install, maybe I should take some more precautions.
Logged

Most music on my soundcloud page was arranged in programs running on VL.
retired1af
Packager
Vectorian
****
Posts: 1265



« Reply #5 on: February 19, 2013, 01:07:25 pm »

This post seems to suggest that it's limited to redhat/centOS like linuxes, which would make sense since those are probably the biggest players in the 'enterprise' market (more data to be stolen or faster computers/connections to be used) and closely related. So, eventhough this is nasty for certain people this problem might not be a biggy to us.

Still, interesting subject. I don't usually consider the possibility of attracting malicious software of any kind to my Linux install, maybe I should take some more precautions.

You assume that everyone here runs just VL. That is not true. I, for one, also run a server that has CentOS. I'm sure there are other members who also do so.
Logged

ASUS K73 Intel i3 Dual Core 2.3GHz
The Headacher
Louder than you
Global Moderator
Vectorian
*****
Posts: 1552


I like the bass to go BOOM!


WWW
« Reply #6 on: February 19, 2013, 02:10:22 pm »

Quote
I, for one, also run a server that has CentOS.
Heretic!  Grin

I meant, that for VectorLinux users this particular rootkit might not be a problem. When they use CentOS, they morph into CentOS users and are no longer Vector users (and vice versa) Tongue.

Joking aside, I was just relieved that our beloved VL was probably not at risk from this particular threat, I use VL for all my linux needs. Of course this is still a major concern to those using the affected OS's.
« Last Edit: February 19, 2013, 02:15:18 pm by The Headacher » Logged

Most music on my soundcloud page was arranged in programs running on VL.
retired1af
Packager
Vectorian
****
Posts: 1265



« Reply #7 on: February 19, 2013, 05:19:38 pm »

Debian just made the list.

http://www.webhostingtalk.com/showpost.php?p=8566080&postcount=744

I'm inclined to agree with those that suspect the infection route is via a workstation logging into the server. Especially with all the java exploits that have been in the press recently.
Logged

ASUS K73 Intel i3 Dual Core 2.3GHz
overthere
Vectorian
****
Posts: 1281



« Reply #8 on: February 20, 2013, 01:23:54 am »

Another cPanel exploit.The last was o-day? one can hope for a quick understanding of the exploit, at least there is a quick fix of sorts, it is advised not to indulge in scripts floating around the internet that claim to solve the issue.


http://24x7servermanagement.com/blog/?tag=libkeyutils-so-1-9
Logged

Everything Is Relative
retired1af
Packager
Vectorian
****
Posts: 1265



« Reply #9 on: February 20, 2013, 01:31:23 am »

It is NOT a cPanel exploit. Many systems running other management packages have also been affected. Whoever posted that didn't read the thread and is an idiot.
« Last Edit: February 20, 2013, 01:56:20 am by retired1af » Logged

ASUS K73 Intel i3 Dual Core 2.3GHz
overthere
Vectorian
****
Posts: 1281



« Reply #10 on: February 20, 2013, 02:02:19 am »

Well there have been other cpanel exploits, I am likely an idiot but the question would really be is there any value in the quick fix. I have seen little else to ease the fear of not knowing.
Logged

Everything Is Relative
retired1af
Packager
Vectorian
****
Posts: 1265



« Reply #11 on: February 20, 2013, 03:35:42 am »

There have been other types of exploits as well. Regardless of what's occurred in the past, this is a new critter.  Machines with cPanel, Plesk, DirectAdmin, etc. have been infected.

It's a root kit. There is no quick fix as the entire system is now suspect if you're infected. The only sure method of fixing it is a complete reinstall from scratch.
« Last Edit: February 20, 2013, 03:39:19 am by retired1af » Logged

ASUS K73 Intel i3 Dual Core 2.3GHz
overthere
Vectorian
****
Posts: 1281



« Reply #12 on: February 20, 2013, 04:48:14 am »

Well...a reinstall would seem futile at this point as some systems are reinfected but safegards would be pertinent it appears port 22 is a target but when not found another is sought, there has been an ip identified, from spain?.
Logged

Everything Is Relative
retired1af
Packager
Vectorian
****
Posts: 1265



« Reply #13 on: February 20, 2013, 04:55:44 am »

Security through obscurity is not security. It doesn't matter if you use port 22 for SSH or another one. I could find it easily enough with a simple port scan. However, the use of SSH keys should be used in lieu of password authentication. Far too many still think password123 is a good password. >.<
Logged

ASUS K73 Intel i3 Dual Core 2.3GHz
overthere
Vectorian
****
Posts: 1281



« Reply #14 on: February 20, 2013, 06:51:23 am »

we are all reading the  same threads, available safeguards would be pertinent, if not stating the obvious. what are you implying.

http://www.baekdal.com/insights/password-security-usability
« Last Edit: February 20, 2013, 10:06:16 am by overthere » Logged

Everything Is Relative
Pages: [1] 2
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!