[important]Exploit!
- Thread starter Mike Edge
- Start date
Mike Edge
Well-known member
I think everything and anything is just being thrown in the air currently as no one knows even where this is happening from at this point let alone how to stop it. Several of the very best security admins in the industry have been non-stop on this for over 48 hours now and still have no clue. On the black hat side too, no info is anywhere to be found how this was found either.
MattW
Well-known member
That still looks to be unclear. There is only one mention of someone not allowing password log in from that thread. All the others seem to be allowing password authentication to SSH.
AWS
Well-known member
In the end someone will find the cause although this is the first time I can remember where an exploit cause wasn't found within a few hours. Whoever did this must be very good at what they do.
I do know that if your server is affected by this the only real option is to re-install the OS. This is a root exploit and who knows what else they dropped on the box that hasn't been discovered yet..
I do know that if your server is affected by this the only real option is to re-install the OS. This is a root exploit and who knows what else they dropped on the box that hasn't been discovered yet..
Mike Edge
Well-known member
Correct, it is still unknown yet. If you don't have a static IP, I'd say invest 5 bucks and get a VPN account and set it to that IP then just SSH via VPN in. Yes it's not 100% secure, but still safer then allowing full access. Also be sure to disable root login so SU has to be used.
Luke F
Well-known member
Probably would make no difference if it's true that it doesn't spawn a shell (iirc)
Brent W
Well-known member
Well, I have went ahead and taken as many precautions as I can. It appears I am not affected (Centos 6.3) and I have root login disabled. Just changed the port as well and setup only my two usernames as approved to login.
Mike Edge
Well-known member
AWS
Well-known member
Boxes with root log in disabled and on non-standard ports were also infected. It also looks like it has morphed as some are finding different files being dropped.
ManagerJosh
Well-known member
Mike Edge
Well-known member
Yeap, the news spread quickly so they are already renaming files and changing call home IPs.
The Mayan's warned on the apocalypse, but they forgot to mention the end of the internet was followed shortly behind.
Facebook was hacked earlier today, hasn't been confirmed or denied if it was in result of this or not.
ManagerJosh
Well-known member
Not the same incident as the 0 day java attack right?
Brent W
Well-known member
Just read this: http://webwereld.nl/nieuws/113443/linux-servers-geroot-en-geplunderd-via-0-day.html not sure if it has anymore info this thread doesn't Mentions ptrace
Reddit thread: http://www.reddit.com/r/netsec/comments/18ro3c/sshd_rootkit/
Reddit thread: http://www.reddit.com/r/netsec/comments/18ro3c/sshd_rootkit/
Brent W
Well-known member
Per the Reddit thread, they seemed to highlight this issue within exim: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5671
I have removed exim just in case. All my mail is sent via SMTP anyways.
If you want to remove Exim and keep crontab and the rest of the dependancies that it will try to remove, first install sendmail.
yum install sendmail
This will allow you to remove exim without removing crontab and cronie.
Make sure you know what you are doing when removing exim in the first place though.
I have removed exim just in case. All my mail is sent via SMTP anyways.
If you want to remove Exim and keep crontab and the rest of the dependancies that it will try to remove, first install sendmail.
yum install sendmail
This will allow you to remove exim without removing crontab and cronie.
Make sure you know what you are doing when removing exim in the first place though.
Brent W
Well-known member
Thanks.
Similar threads
- Question
- Question
